Sending activationcode by email - securityissues..

Results 1 to 2 of 2

Thread: Sending activationcode by email - securityissues..

  1. #1
    Join Date
    Dec 1969

    Default Sending activationcode by email - securityissues..

    I have a question regarding how to allow users to activate their accounts from a link which is sent to the by email. The sign-up procedure on my page works like this:<BR>1) User signs up, and inserts username & password into a database. At the same time an activationcode is generated and inserted.<BR>2) An email is automatically sent to the user, telling the user to activate the account by clicking a link which submits the activationcode to the database (like ). <BR><BR>QUESTION: How should I make sure that "the right user" is activating "the right account". Should I create a link containing the username as well (like eam ) ?<BR><BR>And should I use some kind of encryption? Also, should I use some kind of encryption when the password is inserted into the database or when the user is logging in? <BR><BR>Very thankful for any help!/Viktor<BR>----------------------------------<BR>P.S. I asked a similar question yesterday but then I realised I had to give it a nights sleep before asking anything further!<BR><BR><BR>

  2. #2
    Join Date
    Dec 1969

    Default If I understand your system correctly...

    ...the activation link simply activates the account. If the wrong user used the link to activate the account, it shouldn&#039;t be a problem. Just make sure that the user still has to log on using their correct username and password after they activated their account. That way the wrong user won&#039;t get into the account, because he/she won&#039;t have the correct username and password.<BR><BR>Hence, I would NOT add the username to the link. Just make sure the activation code is unique to the user. You could use a random auto number field in your database for example, or some sort of one-way hash function of the username or a CRC or something. It doesn&#039;t really matter, as long it&#039;s going to be unique to the specific user.<BR><BR>To you other question. It is recommended to use encryption when storing passwords in a database, but not vital. As long as your database can&#039;t be accessed by the "outside world", the passwords will be safe. However, programming a simple encryption routine is simple, and there&#039;s something on 4Guys that gives some information:<BR><BR>I don&#039;t quite understand what you mean by using encryption when the user is logged in? There should be no need to keep the password once the user has been authenticated, so there should be no need for encryption. Or what do you mean?<BR><BR>Oliver.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts