Solved

Strategy for account creation and confirmation

Posted on 2013-05-26
4
271 Views
Last Modified: 2013-06-09
I am building a website where someone signs up for an account. I then send them a confirmation email message. The confirmation email message then has a link to the login page.

I noticed other site have this strategy. I am confused though. Why are they sent a confirmation email when they can just go directly to the login page by clicking on a "Login" link already on the page?

Can someone help me to understand? Also, instead, Should my confirmation email have a unique key like a guid which I should check when the person logs in for the first time? Would that be a much better strategy?

The guid would be embedded in the URL so that I could get this value and check it when the person logs in for the first time.
0
Comment
Question by:brgdotnet
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 63

Expert Comment

by:btan
ID: 39198514
It is actually to send to the intended user email for requested account creation and not to other intended email on behalf. This is just an mean to the end and not foolproof to assure authorise party via the confirmation. There can be further identity check tied to it beside email which can also be spoofed..
 The uniqueness of the link leading to the confirmation page should allow acknowledgement and single sign on for that short period using some sort of random session id tied to that user account. The confirmation should not persist after the period enforced.

Likewise also to deter bot creating account using some automated form filler and creating orphan or dead account or unuathorised account.

You can see this discussion too
http://stackoverflow.com/questions/1495032/do-we-really-need-email-confirmation
0
 
LVL 2

Author Comment

by:brgdotnet
ID: 39199225
Thank you for contributing, and you have earned some points dear sir. I need to hear from others though with strong experience in this area.

Let me paraphrase, so that I am more specific in my needs.

To help prevent fake account creation and identity spoofing, I am wondering specifically if the following approach is sufficient.
1. Have user Register.
2. Send user an email message with GUID(Unique Id)
    The email message will contain a url which references a log-in page.
    The URL will contain a unique quid in the url, which can be accessed with the query string.
3. When the application user clicks on the hyperlink, they will be taken to the login page. In my Code I will then check the quid in the database, along with their username and password. If these three values are in the database, I will check off a table value (true/false) that they accessed the login page using the emailed hyperlink with the guid.
4. If step 3 is completed, subsequent login attempts will no longer check for the existence of the guid.They will just be able to login using their username and password.
0
 
LVL 63

Accepted Solution

by:
btan earned 205 total points
ID: 39199234
Understand where you coming from but also do consider the "replayable" part of it as any intent to capture and replay that back to server, like someone able to sniff or repeat this guid and send back to server - no one is wiser and spoofing can still work through. So I was thinking if time period is consider for the confirmation email to com back to server for specific period, it may help to reduce the exposure. Maybe even besides GUID, and if it is binded to specific timestamp and the credential info where possible, it may help (but does complicate codes).

Actually for session based token or ID, random id in GET request is common. OWASP also has sharing on cheatsheet on this part
https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Session_ID_Life_Cycle

But I do find code available doing likewise on GUID (or called "ProviderUserKey" in article below) which you may be interested by far, it seems the approach is fitting too for the confirmation. Probably will also need to check on the email entered as another layer check
http://www.codeproject.com/Questions/111635/mail-confirmation-in-asp-net
http://www.codeproject.com/Articles/313153/ASP-NET-MVC-reCAPTCHA-and-Email-Confirmation
http://www.codeproject.com/Articles/5189/End-to-end-Email-Address-Verification-for-Applicat
0
 
LVL 2

Author Closing Comment

by:brgdotnet
ID: 39232446
Thank you.
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
802.1X auth setup and configuration 3 37
security group 2 23
Best in class privacy policy 6 51
Blocking outside IP Addresses 16 47
Ransomware is a malware that is again in the list of security  concerns. Not only for companies, but also for Government security and  even at personal use. IT departments should be aware and have the right  knowledge to how to fight it.
Ransomware continues to grow in reach and sophistication, putting data everywhere at risk. Learn how to avoid being caught in its sinister clutches with these 11 key tips.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question