Account activation via email

[Alexandra Suciu]

Can someone please explain to me how email confirmation/account activation
via email is achieved? What I'm referring to is websites that require a
user to sign up. Shortly after, the user receives an email from the
website. In the email is a link that is used to confirm the email address
and/or activate the account that was created earlier.

I want to do the same thing for my site, but I have no idea how it works. I
see tracking id #'s flying around, but I don't know what they are.

An explanation and a point in the right direction would be greatly
appreciated.



T.

 

[Greg Schmidt]

Can someone please explain to me how email confirmation/account activation
via email is achieved? What I'm referring to is websites that require a
user to sign up. Shortly after, the user receives an email from the
website. In the email is a link that is used to confirm the email address
and/or activate the account that was created earlier.

I want to do the same thing for my site, but I have no idea how it works. I
see tracking id #'s flying around, but I don't know what they are.

An explanation and a point in the right direction would be greatly
appreciated.

The general idea is that when a new user creates an account, you put a
flag in the database that indicates that it is not yet active. You send
them an email with a link to, say http://www.example.com/enable?xxx
where xxx is their user id or, for better security, a long random number
like a GUID which is used as an index into a table in your database to
look up the actual user id. The "enable" script has only one purpose:
it sets the flag to indicate that the account is now active (and of
course then redirects the browser to some useful page). For this scheme
to be of any use, your login script has to check the flag and only allow
logins once the account is activated.

Hope this helps!

 

[Joe Patrick]

Can someone please explain to me how email confirmation/account
activation
If you want to make it easier, you could create several passwords and
usernames and email one off when someone submits the form. Once someone has
signed in using it, it will drop it from the site and put it at the back of
the cycle. I have the code somewhere, I will dig it out on Wednesday after I
come back from Holiday.
Eg:
Username[0]=abcdef
Username[1]=ghijklm
Username[2]=nopqur
*repeat desired amount of times*
Password[0]=jHra458J
Password[1]=LieFedLI
Password[2]=258HrLA

When someone signs up, they would get username abcdef and password jHra458J,
then that would become password[2]
Although, doesnt do what you want, ensures email addresses are real. I use
it on my site and have 41 variables and change them once I have 41 signups

 

[Igor Slyusar]

I use almost the same algorithm Greg Schmidt described above in this
thread. When user sighs confirmation link with random confirmation code is
sent to new member's e-mail. Confirmation code is the number produced by
random number generation, it's impossible to hack it. Member has to click
that link then to confirm registration.

This way is reliable and secure, and fully automates the process of e-mail
validation. I don't even care about it, my programs do all the job for me.

If you need any further help, please contact me via form on my site.

 

[Chris Morris]

I use almost the same algorithm Greg Schmidt described above in this
thread. When user sighs confirmation link with random confirmation code is
sent to new member's e-mail. Confirmation code is the number produced by
random number generation, it's impossible to hack it. Member has to click ^^^^^^^^^^^^^^^^^^^^^^^^^^
that link then to confirm registration.

Not strictly true. One possible way is to intercept the email (since
it's probably sent plain text at some point) before it reaches the
user's machine with a man-in-the-middle attack or similar. Then
follow the link yourself.

Difficult, yes, unless you happen to be a mail router admin,
impossible no.

 

[Toby A Inkster]

Not strictly true. One possible way is to intercept the email (since
it's probably sent plain text at some point) before it reaches the
user's machine with a man-in-the-middle attack or similar.

The other is to just brute-force it.

 

[Greg Schmidt]

The other is to just brute-force it.

Do you mean to just try all 2^128 possible GUID combinations, or is
there a faster brute-force method? You know, something that would take
substantially less than the age of the universe to try?

 

[Toby A Inkster]

Do you mean to just try all 2^128 possible GUID combinations, or is
there a faster brute-force method?

Igor never said that his random number was 128 bits.

 

[Chris Morris]

The other is to just brute-force it.

That's fairly easy to deal with, actually.
Where
foo.script?uid=thisuser&code=57gw92
is correct, if the code is incorrect, (possibly allow a couple of
wrong attempts, up to you), then erase the user/code combination and
email the user to inform them, then silently drop further requests.

I wouldn't just generate a new one, since that allows very easy mail
bombing by repeatedly accessing the script.

 

[Greg Schmidt]

Igor never said that his random number was 128 bits.

It should be, there are enough GUID generators around that will do it
for you. Otherwise, someone might brute-force it.