[Unsolved] User Account verification via email !

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
phazorRise
Forum Contributor
Posts: 134
Joined: Mon Dec 27, 2010 7:58 am

[Unsolved] User Account verification via email !

Post by phazorRise »

I've a table schema for storing users. I want to make sure user has entered his/her own email id. So i decided to put in an account verification via email. My idea is to add two more fields in existing table named- verification_key and is_activated.

When an account is verified the field is_activated is set to true which is by default set to false on sign up. Is this a good approach ?? I'm confused because-
->for each authentication process i'll have to pull out more details out of database such as display name, salt, password hash and additional field ie is_activated.
->when user is verified verification_key as well as is_activated will not be useful any further for that user only. ( exception is of users which are not verified yet )

OR

Should i use separate temporary table to store user details until he/she is verified and once verified that particular user record can be moved in registered users table?
Last edited by phazorRise on Sun Aug 07, 2011 11:23 am, edited 1 time in total.
genix2011
Forum Commoner
Posts: 74
Joined: Tue Aug 02, 2011 4:00 pm

Re: User Account verification via email !

Post by genix2011 »

Hi,

why are you saving the salt key in the database? I think that contradicts the purpose of a salt key.
You can just do a authentication-query like that:

Code: Select all

SELECT user,passwd FROM users WHERE is_activated=1 AND passwd='passhash' AND user='someuser' 
That would be enough, and just one request to authenticate.

Greets.
User avatar
phazorRise
Forum Contributor
Posts: 134
Joined: Mon Dec 27, 2010 7:58 am

Re: User Account verification via email !

Post by phazorRise »

contradicts the purpose of a salt key
sorry, what do you mean ??
genix2011
Forum Commoner
Posts: 74
Joined: Tue Aug 02, 2011 4:00 pm

Re: User Account verification via email !

Post by genix2011 »

hmmm... now that I think about it, it doesn't matter if the salt key is known, but I still wouldn't save it in the database.
Or are you using the salt key for another purpose than to salt passwords?
User avatar
phazorRise
Forum Contributor
Posts: 134
Joined: Mon Dec 27, 2010 7:58 am

Re: User Account verification via email !

Post by phazorRise »

I still wouldn't save it in the database.
I'm not using a global salt or something. For each user a new salt is generated. Take a look at below-

Code: Select all

$data['key']=sha1(uniqid("",true));
$data['pass']=hash(sha256,$data['key'].$data['pass']);
here, my salt is $data['key']. Now to get back $data['pass'] i need $data['key''] first. To do this, salt has to be stored along with user details and pulled out each time.
One more thing each time user log in to his account a new salt is generated and so the password hash also changes.
This improves security ( at least in authentication process ).

But my question in not around salt. It's about good table schema.
it doesn't matter if the salt key is known
No. If salt is known then why to use it anyway ?
genix2011
Forum Commoner
Posts: 74
Joined: Tue Aug 02, 2011 4:00 pm

Re: User Account verification via email !

Post by genix2011 »

hmm... ok yeah seems nice. Thought at first you want to use a global salt.
Please forget the part about, that it doesn't matter if the salt is known, don't know what got me there :)

For the authentication this query would still be sufficient:

Code: Select all

SELECT user,passwd FROM users WHERE is_activated=1 AND passwd=SHA2(CONCAT(salt, 'passwd'), 256) AND user='someuser'
OR just:

Code: Select all

SELECT COUNT(*) as total FROM users WHERE is_activated=1 AND passwd=SHA2(CONCAT(salt, 'passwd'), 256) AND user='someuser'
If total == 0 then the authentication failed.

To update the salt and password you'd have to execute another query.
User avatar
phazorRise
Forum Contributor
Posts: 134
Joined: Mon Dec 27, 2010 7:58 am

Re: User Account verification via email !

Post by phazorRise »

thanks for your concerns.
but my question is unanswered. Here's what i want to kno -
I'm confused because-
->for each authentication process i'll have to pull out more details out of database such as display name, salt, password hash and additional field ie is_activated.
->when user is verified verification_key as well as is_activated will not be useful any further for that user only. ( exception is of users which are not verified yet )

OR

Should i use separate temporary table to store user details until he/she is verified and once verified that particular user record can be moved in registered users table?
Which approach would be more suitable and efficient?
genix2011
Forum Commoner
Posts: 74
Joined: Tue Aug 02, 2011 4:00 pm

Re: [Unsolved] User Account verification via email !

Post by genix2011 »

Hi,

I thought I already answered it, one table is sufficient, And you can check for authentication with one query.
But if you don't like the activation key in the users table, then I would go with (2).

Both should be equally efficient.

Greets.
Post Reply