Page 1 of 1

email activation code - need brainstorming

Posted: Mon Aug 08, 2011 6:06 am
by badaboom
I guys

I need some guide lines on programing some part of my website. Actually I don't need anyone to provide me with any scripts just to help me out on how it is done elsewhere.

So here is the thing, I need a page for registration and another page when the users are requesting a forgotten password. Obviously I am using a database.

Obviously, like elsewhere, i am creating an activation code which it is sent by email, this part is good. So my question is where do you keep the activation code. The searches I made, was some of them are keeping them on the registered table others are creating a temporary table for new registration then transfer the values to the registered user table. So two tables, the actual registered one and a temporary table.

Eventhough both ways are good, I still need to found out the best, simpliest and secure way of doing so. Any other ideas or suggestions are most welcome.

My idea was to create a text file with all the infos. The text file would be named with the same activatecode (ex.: $activeCode.txt.inc) or something like that. If the text filename matches the one sent by email then we proceed with activation and is deleted when it is done. If not then... well you get the picture.

As for password reset, my issue is I don't want to send them a new password automatically. What I would rather is send a message saying something like this:

"You or someone else using your email to request a password change... If you did not request such demand then delete the email if you did request it then click on the following link... bla bla bla..."

So I still want to keep the old password if it's a false request. Would you create another field for password reset. If you need to revert their old password would you keep the old one on another field just in case? Where do we keep the activation code, another temporary table, registered table (final one) or even on a text file which is deleted once the password successfully been modified.

Another question about password, would encrypting the password with md5 be enough or would you use another encryption method?

As I mentioned, all I need is some brainstorming on the activation process. Am just curious on how you guys would do it and surely some of you would come up with problems using any of these techniques.

Thanks again

Re: email activation code - need brainstorming

Posted: Mon Aug 08, 2011 10:06 am
by tr0gd0rr
I prefer to have a simple table:
password_tokens
id
token
user_id
created

Then a url like /password/set/?token=123... which checks that the token exists and is not older than a week. Prompt for password and confirm password then set the new password for that user_id.

When storing passwords, yes md5 or sha1 is good, but always use a salt. You can do an app-wide salt or an entry-specify salt. See this Stack Overflow Question.