Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 276
  • Last Modified:

Strategy for account creation and confirmation

I am building a website where someone signs up for an account. I then send them a confirmation email message. The confirmation email message then has a link to the login page.

I noticed other site have this strategy. I am confused though. Why are they sent a confirmation email when they can just go directly to the login page by clicking on a "Login" link already on the page?

Can someone help me to understand? Also, instead, Should my confirmation email have a unique key like a guid which I should check when the person logs in for the first time? Would that be a much better strategy?

The guid would be embedded in the URL so that I could get this value and check it when the person logs in for the first time.
0
brgdotnet
Asked:
brgdotnet
  • 2
  • 2
1 Solution
 
btanExec ConsultantCommented:
It is actually to send to the intended user email for requested account creation and not to other intended email on behalf. This is just an mean to the end and not foolproof to assure authorise party via the confirmation. There can be further identity check tied to it beside email which can also be spoofed..
 The uniqueness of the link leading to the confirmation page should allow acknowledgement and single sign on for that short period using some sort of random session id tied to that user account. The confirmation should not persist after the period enforced.

Likewise also to deter bot creating account using some automated form filler and creating orphan or dead account or unuathorised account.

You can see this discussion too
http://stackoverflow.com/questions/1495032/do-we-really-need-email-confirmation
0
 
brgdotnetAuthor Commented:
Thank you for contributing, and you have earned some points dear sir. I need to hear from others though with strong experience in this area.

Let me paraphrase, so that I am more specific in my needs.

To help prevent fake account creation and identity spoofing, I am wondering specifically if the following approach is sufficient.
1. Have user Register.
2. Send user an email message with GUID(Unique Id)
    The email message will contain a url which references a log-in page.
    The URL will contain a unique quid in the url, which can be accessed with the query string.
3. When the application user clicks on the hyperlink, they will be taken to the login page. In my Code I will then check the quid in the database, along with their username and password. If these three values are in the database, I will check off a table value (true/false) that they accessed the login page using the emailed hyperlink with the guid.
4. If step 3 is completed, subsequent login attempts will no longer check for the existence of the guid.They will just be able to login using their username and password.
0
 
btanExec ConsultantCommented:
Understand where you coming from but also do consider the "replayable" part of it as any intent to capture and replay that back to server, like someone able to sniff or repeat this guid and send back to server - no one is wiser and spoofing can still work through. So I was thinking if time period is consider for the confirmation email to com back to server for specific period, it may help to reduce the exposure. Maybe even besides GUID, and if it is binded to specific timestamp and the credential info where possible, it may help (but does complicate codes).

Actually for session based token or ID, random id in GET request is common. OWASP also has sharing on cheatsheet on this part
https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Session_ID_Life_Cycle

But I do find code available doing likewise on GUID (or called "ProviderUserKey" in article below) which you may be interested by far, it seems the approach is fitting too for the confirmation. Probably will also need to check on the email entered as another layer check
http://www.codeproject.com/Questions/111635/mail-confirmation-in-asp-net
http://www.codeproject.com/Articles/313153/ASP-NET-MVC-reCAPTCHA-and-Email-Confirmation
http://www.codeproject.com/Articles/5189/End-to-end-Email-Address-Verification-for-Applicat
0
 
brgdotnetAuthor Commented:
Thank you.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now