Page 1 of 1
[Unsolved] User Account verification via email !
Posted: Sat Aug 06, 2011 2:53 pm
by phazorRise
I've a table schema for storing users. I want to make sure user has entered his/her own email id. So i decided to put in an account verification via email. My idea is to add two more fields in existing table named- verification_key and is_activated.
When an account is verified the field is_activated is set to true which is by default set to false on sign up. Is this a good approach ?? I'm confused because-
->for each authentication process i'll have to pull out more details out of database such as display name, salt, password hash and additional field ie is_activated.
->when user is verified verification_key as well as is_activated will not be useful any further for that user only. ( exception is of users which are not verified yet )
OR
Should i use separate temporary table to store user details until he/she is verified and once verified that particular user record can be moved in registered users table?
Re: User Account verification via email !
Posted: Sat Aug 06, 2011 3:15 pm
by genix2011
Hi,
why are you saving the salt key in the database? I think that contradicts the purpose of a salt key.
You can just do a authentication-query like that:
Code: Select all
SELECT user,passwd FROM users WHERE is_activated=1 AND passwd='passhash' AND user='someuser'
That would be enough, and just one request to authenticate.
Greets.
Re: User Account verification via email !
Posted: Sat Aug 06, 2011 3:23 pm
by phazorRise
contradicts the purpose of a salt key
sorry, what do you mean ??
Re: User Account verification via email !
Posted: Sat Aug 06, 2011 4:14 pm
by genix2011
hmmm... now that I think about it, it doesn't matter if the salt key is known, but I still wouldn't save it in the database.
Or are you using the salt key for another purpose than to salt passwords?
Re: User Account verification via email !
Posted: Sat Aug 06, 2011 5:12 pm
by phazorRise
I still wouldn't save it in the database.
I'm not using a global salt or something. For each user a new salt is generated. Take a look at below-
Code: Select all
$data['key']=sha1(uniqid("",true));
$data['pass']=hash(sha256,$data['key'].$data['pass']);
here, my salt is $data['key']. Now to get back $data['pass'] i need $data['key''] first. To do this, salt has to be stored along with user details and pulled out each time.
One more thing each time user log in to his account a new salt is generated and so the password hash also changes.
This improves security ( at least in authentication process ).
But my question in not around salt. It's about good table schema.
it doesn't matter if the salt key is known
No. If salt is known then why to use it anyway ?
Re: User Account verification via email !
Posted: Sat Aug 06, 2011 7:11 pm
by genix2011
hmm... ok yeah seems nice. Thought at first you want to use a global salt.
Please forget the part about, that it doesn't matter if the salt is known, don't know what got me there
For the authentication this query would still be sufficient:
Code: Select all
SELECT user,passwd FROM users WHERE is_activated=1 AND passwd=SHA2(CONCAT(salt, 'passwd'), 256) AND user='someuser'
OR just:
Code: Select all
SELECT COUNT(*) as total FROM users WHERE is_activated=1 AND passwd=SHA2(CONCAT(salt, 'passwd'), 256) AND user='someuser'
If total == 0 then the authentication failed.
To update the salt and password you'd have to execute another query.
Re: User Account verification via email !
Posted: Sun Aug 07, 2011 10:25 am
by phazorRise
thanks for your concerns.
but my question is unanswered. Here's what i want to kno -
I'm confused because-
->for each authentication process i'll have to pull out more details out of database such as display name, salt, password hash and additional field ie is_activated.
->when user is verified verification_key as well as is_activated will not be useful any further for that user only. ( exception is of users which are not verified yet )
OR
Should i use separate temporary table to store user details until he/she is verified and once verified that particular user record can be moved in registered users table?
Which approach would be more suitable and efficient?
Re: [Unsolved] User Account verification via email !
Posted: Sun Aug 07, 2011 11:57 am
by genix2011
Hi,
I thought I already answered it, one table is sufficient, And you can check for authentication with one query.
But if you don't like the activation key in the users table, then I would go with (2).
Both should be equally efficient.
Greets.