[Unsolved] User Account verification via email !
Moderator: General Moderators
- phazorRise
- Forum Contributor
- Posts: 134
- Joined: Mon Dec 27, 2010 7:58 am
[Unsolved] User Account verification via email !
I've a table schema for storing users. I want to make sure user has entered his/her own email id. So i decided to put in an account verification via email. My idea is to add two more fields in existing table named- verification_key and is_activated.
When an account is verified the field is_activated is set to true which is by default set to false on sign up. Is this a good approach ?? I'm confused because-
->for each authentication process i'll have to pull out more details out of database such as display name, salt, password hash and additional field ie is_activated.
->when user is verified verification_key as well as is_activated will not be useful any further for that user only. ( exception is of users which are not verified yet )
OR
Should i use separate temporary table to store user details until he/she is verified and once verified that particular user record can be moved in registered users table?
When an account is verified the field is_activated is set to true which is by default set to false on sign up. Is this a good approach ?? I'm confused because-
->for each authentication process i'll have to pull out more details out of database such as display name, salt, password hash and additional field ie is_activated.
->when user is verified verification_key as well as is_activated will not be useful any further for that user only. ( exception is of users which are not verified yet )
OR
Should i use separate temporary table to store user details until he/she is verified and once verified that particular user record can be moved in registered users table?
Last edited by phazorRise on Sun Aug 07, 2011 11:23 am, edited 1 time in total.
Re: User Account verification via email !
Hi,
why are you saving the salt key in the database? I think that contradicts the purpose of a salt key.
You can just do a authentication-query like that:
That would be enough, and just one request to authenticate.
Greets.
why are you saving the salt key in the database? I think that contradicts the purpose of a salt key.
You can just do a authentication-query like that:
Code: Select all
SELECT user,passwd FROM users WHERE is_activated=1 AND passwd='passhash' AND user='someuser'
Greets.
- phazorRise
- Forum Contributor
- Posts: 134
- Joined: Mon Dec 27, 2010 7:58 am
Re: User Account verification via email !
sorry, what do you mean ??contradicts the purpose of a salt key
Re: User Account verification via email !
hmmm... now that I think about it, it doesn't matter if the salt key is known, but I still wouldn't save it in the database.
Or are you using the salt key for another purpose than to salt passwords?
Or are you using the salt key for another purpose than to salt passwords?
- phazorRise
- Forum Contributor
- Posts: 134
- Joined: Mon Dec 27, 2010 7:58 am
Re: User Account verification via email !
I'm not using a global salt or something. For each user a new salt is generated. Take a look at below-I still wouldn't save it in the database.
Code: Select all
$data['key']=sha1(uniqid("",true));
$data['pass']=hash(sha256,$data['key'].$data['pass']);
One more thing each time user log in to his account a new salt is generated and so the password hash also changes.
This improves security ( at least in authentication process ).
But my question in not around salt. It's about good table schema.
No. If salt is known then why to use it anyway ?it doesn't matter if the salt key is known
Re: User Account verification via email !
hmm... ok yeah seems nice. Thought at first you want to use a global salt.
Please forget the part about, that it doesn't matter if the salt is known, don't know what got me there
For the authentication this query would still be sufficient:
OR just:
If total == 0 then the authentication failed.
To update the salt and password you'd have to execute another query.
Please forget the part about, that it doesn't matter if the salt is known, don't know what got me there
For the authentication this query would still be sufficient:
Code: Select all
SELECT user,passwd FROM users WHERE is_activated=1 AND passwd=SHA2(CONCAT(salt, 'passwd'), 256) AND user='someuser'
Code: Select all
SELECT COUNT(*) as total FROM users WHERE is_activated=1 AND passwd=SHA2(CONCAT(salt, 'passwd'), 256) AND user='someuser'
To update the salt and password you'd have to execute another query.
- phazorRise
- Forum Contributor
- Posts: 134
- Joined: Mon Dec 27, 2010 7:58 am
Re: User Account verification via email !
thanks for your concerns.
but my question is unanswered. Here's what i want to kno -
but my question is unanswered. Here's what i want to kno -
Which approach would be more suitable and efficient?I'm confused because-
->for each authentication process i'll have to pull out more details out of database such as display name, salt, password hash and additional field ie is_activated.
->when user is verified verification_key as well as is_activated will not be useful any further for that user only. ( exception is of users which are not verified yet )
OR
Should i use separate temporary table to store user details until he/she is verified and once verified that particular user record can be moved in registered users table?
Re: [Unsolved] User Account verification via email !
Hi,
I thought I already answered it, one table is sufficient, And you can check for authentication with one query.
But if you don't like the activation key in the users table, then I would go with (2).
Both should be equally efficient.
Greets.
I thought I already answered it, one table is sufficient, And you can check for authentication with one query.
But if you don't like the activation key in the users table, then I would go with (2).
Both should be equally efficient.
Greets.