login with email confirmation question

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
rubberjohn
Forum Contributor
Posts: 193
Joined: Fri Feb 25, 2005 4:03 am

login with email confirmation question

Post by rubberjohn »

I have a question about a login script im working on -

Once a user has successfully entered their details into a form they are inserted into a database.

If this was successful, the user is then sent a confirmation email that links back and activates the account.

My question is if the email fails for some reason and the user never recieves the email or the user deletes the email, the user can not re-register on the system - as it does not allow duplicate email accounts. And there will be an acount that will never be activated.

What can I do to avoid this?

Thanks

rj
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

When the user logs in, notify them that their account is not activated and provide them with a link to re-send the email.
rubberjohn
Forum Contributor
Posts: 193
Joined: Fri Feb 25, 2005 4:03 am

Post by rubberjohn »

of course - but what if they have entered the wrong email address, i suppose thats just their fault!!
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Perhaps once they have logged in with their un-activated account, allow them to change the email?
rubberjohn
Forum Contributor
Posts: 193
Joined: Fri Feb 25, 2005 4:03 am

Post by rubberjohn »

ok cheers
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

Or send the email before they signup, follow me here:

to access the signup form they'd have to enter their email and follow a link, on this page they would see the signup form with their email already hard-coded in.

another thing I do is let the user into their accounts right away, unlike systems where they just get a message their account needs activation they actually get their control panel but all links are grayed out except for "my account", so they can still change their password / email. This way they can play with those settings while they wait for the activation email.
rubberjohn
Forum Contributor
Posts: 193
Joined: Fri Feb 25, 2005 4:03 am

Post by rubberjohn »

yeah, that could work, at first i thought you just meant to send the email before performing the INSERT, but that would have the same problem as I originally said in that the email could be sent but the INSERT amy have failed leaving the user with a confirmation email with nothing in the db to confirm.

I like the idea of giving the user limited access until they have activated - unfortunately this is a little bit beyond my abilities.

cheers for the advice

rj
Post Reply