Validate & Confirm E-Mail Address

  • Thread starter Wm. Scott Miller
  • Start date
W

Wm. Scott Miller

Hello all:

I'd like some advice on the best way to validate and confirm an e-mail
address entered during a registration process. What we are thinking of is
something like the following:

1. User comes to our web site and validates themselves as a member of our
database.
2. User creates a user name and password to be used to log in to our site.
3. User is required to enter a valid e-mail address to finalize
registration.
4. Registration process is suspended until...
5. Server sends e-mail to supplied e-mail address with a link in it that
the user must click on to continue the registration process.
6. User clicks on link and is taken to a log-in page where they will enter
the information supplied in #2
7. Once they have successfully logged in (which also confirms either e-mail
address), they are fully registered and ready to go.

Reason we decided on the above is because of:

1. If e-mail were to be intercepted (either maliciously or by typo by
user), no one but the registering user could confirm e-mail because they
must login with link to confirm e-mail.
2. We need an e-mail in case the user forgets their password so it must be
active and valid for use.

Is there any security holes in the plan?

Additionally, has someone done something like this and have code and/or
suggestions from your experience?

Thanks for all the help,
Scott
 
P

Peter Blum

Hi Scott,

I use the same technique on my site (www.peterblum.com). Feel free to
download something from the site to try it out. (There are free ASP.NET
controls so you might actually get something you like.)

The advantages are clear. Your database knows when a user has not finished
registration. So other functions that use your registrations can skip them.
The disadvantages:
1. Sometimes email does not make it to the user. DNS problems, anti-spam
software blocking, or email server blocking features. I'd say probably 5% of
users that appear to have legit email addresses end up with this problem.
2. Users create temporary email addresses just for signing up. If this info
is important to you, your site still can be fooled.
3. Users often mistype their email address. I often see back-to-back entries
with slightly different email addresses. At least that indicates the user is
trying to make things work.

--- Peter Blum
www.PeterBlum.com
Email: (e-mail address removed)
Creator of "Professional Validation And More" at
http://www.peterblum.com/vam/home.aspx
 
W

Wm. Scott Miller

Peter:

Could you provide a link directly to the download of the registration
example? I've poked around on your site and haven't found it.
Thanks!

Scott
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

CreateUserWizard FormatException for e-mail address 1
Confirm from code behind 0
Validating Multiple E-mail Address - JavaScript & CustomValidator 1
deleting e-mail 1
Registration form 13
HCaptcha - How to stop page from refreshing on submit if captcha is not checked/validated 1
If the stored e-mail address fails I can catch the error but then what? 0
E-Mail Marketing is now officially SPAM 1

Members online

No members online now.
Total: 39 (members: 0, guests: 39)
Robots: 240

Forum statistics

Threads
473,764
Messages
2,569,567
Members
45,041
Latest member
RomeoFarnh

Latest Threads

Top