Email activation

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
lynchpin
Forum Commoner
Posts: 60
Joined: Mon Jul 21, 2008 1:31 pm

Email activation

Post by lynchpin »

Hi guys,

I am building a system and want to use email activation to start the users account. When a user registers i need to generate an email to the users email address with an activation link back to my web site, but I am not sure how to go about this. Any ideas please help.
Thank you
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: Email activation

Post by alex.barylski »

Wrong forum. Anyways it's easy.

Generate a unique ID using time() and md5() or similar approach.

Create a record in a table similar to this:

Code: Select all

pkid, userid, time, keycode
keycode is the key generated above.

Send the email with a link in it similar to this:

http://www.mysite.com/validate_user.php ... _GOES_HERE

Now when that user receives the email they click on the link at which point the script checks the key and if it's valid, the user account is created or enabled.

You would also have an expiry date associated with each request, which is why the time field is needed. So before you validate the user account, you might check to ensure all expired records are deleted and disabled user accounts removed as well -- basic clean up.
lynchpin
Forum Commoner
Posts: 60
Joined: Mon Jul 21, 2008 1:31 pm

Re: Email activation

Post by lynchpin »

Thanks alot Hockney.

you mentioned wrog forum, which forum should i go to, am new around here :D

Thanks again.
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: Email activation

Post by alex.barylski »

IMHO this was more a PHP code question or T & D maybe...then again...I have posted in the wrong forums on many communities where I have been a member longer than 99% of the other members...so even veterans fubar once in a while. :P
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Email activation

Post by Mordred »

Hockey wrote:Wrong forum. Anyways it's easy.
Generate a unique ID using time() and md5() or similar approach.
Apparently it was the right forum ;)
Basing your random on time() (or similar) isn't secure at all. Everybody knows the time, and can bruteforce a 10 second interval with 10000 guesses. And let me guess that your activation code doesn't offer any bruteforce protection ;)

Code: Select all

$better_token = md5(uniqid(mt_rand(), true));
(modified example from the docs --> mt_rand() instead of rand())

This will be better, but maybe still not good enough: it doesn't say where does it take its additional entropy from, so take it with a pinch of salt.
lynchpin
Forum Commoner
Posts: 60
Joined: Mon Jul 21, 2008 1:31 pm

Re: Email activation

Post by lynchpin »

Thanks for the security heads up Mordred.

Will try out your technique.

If I may ask, whats the best way to perform an efficient and easy way of performing a full-text or fuzzy search of comments stored in a database using php.

Thanks again.
Post Reply