email activation code - need brainstorming
Posted: Mon Aug 08, 2011 6:06 am
I guys
I need some guide lines on programing some part of my website. Actually I don't need anyone to provide me with any scripts just to help me out on how it is done elsewhere.
So here is the thing, I need a page for registration and another page when the users are requesting a forgotten password. Obviously I am using a database.
Obviously, like elsewhere, i am creating an activation code which it is sent by email, this part is good. So my question is where do you keep the activation code. The searches I made, was some of them are keeping them on the registered table others are creating a temporary table for new registration then transfer the values to the registered user table. So two tables, the actual registered one and a temporary table.
Eventhough both ways are good, I still need to found out the best, simpliest and secure way of doing so. Any other ideas or suggestions are most welcome.
My idea was to create a text file with all the infos. The text file would be named with the same activatecode (ex.: $activeCode.txt.inc) or something like that. If the text filename matches the one sent by email then we proceed with activation and is deleted when it is done. If not then... well you get the picture.
As for password reset, my issue is I don't want to send them a new password automatically. What I would rather is send a message saying something like this:
"You or someone else using your email to request a password change... If you did not request such demand then delete the email if you did request it then click on the following link... bla bla bla..."
So I still want to keep the old password if it's a false request. Would you create another field for password reset. If you need to revert their old password would you keep the old one on another field just in case? Where do we keep the activation code, another temporary table, registered table (final one) or even on a text file which is deleted once the password successfully been modified.
Another question about password, would encrypting the password with md5 be enough or would you use another encryption method?
As I mentioned, all I need is some brainstorming on the activation process. Am just curious on how you guys would do it and surely some of you would come up with problems using any of these techniques.
Thanks again
I need some guide lines on programing some part of my website. Actually I don't need anyone to provide me with any scripts just to help me out on how it is done elsewhere.
So here is the thing, I need a page for registration and another page when the users are requesting a forgotten password. Obviously I am using a database.
Obviously, like elsewhere, i am creating an activation code which it is sent by email, this part is good. So my question is where do you keep the activation code. The searches I made, was some of them are keeping them on the registered table others are creating a temporary table for new registration then transfer the values to the registered user table. So two tables, the actual registered one and a temporary table.
Eventhough both ways are good, I still need to found out the best, simpliest and secure way of doing so. Any other ideas or suggestions are most welcome.
My idea was to create a text file with all the infos. The text file would be named with the same activatecode (ex.: $activeCode.txt.inc) or something like that. If the text filename matches the one sent by email then we proceed with activation and is deleted when it is done. If not then... well you get the picture.
As for password reset, my issue is I don't want to send them a new password automatically. What I would rather is send a message saying something like this:
"You or someone else using your email to request a password change... If you did not request such demand then delete the email if you did request it then click on the following link... bla bla bla..."
So I still want to keep the old password if it's a false request. Would you create another field for password reset. If you need to revert their old password would you keep the old one on another field just in case? Where do we keep the activation code, another temporary table, registered table (final one) or even on a text file which is deleted once the password successfully been modified.
Another question about password, would encrypting the password with md5 be enough or would you use another encryption method?
As I mentioned, all I need is some brainstorming on the activation process. Am just curious on how you guys would do it and surely some of you would come up with problems using any of these techniques.
Thanks again