Handling non confirmed membership account

Question

I would like to know which procedure should I take in the following situation:

A user register itself into the system and an email is sent to confirm the account (with the confirmation token). But the user doesn't comfirm the account... If later, the same user or another user try to register itself with the same email, should I:

• Delete all the information about the first user, create an entirely new account and send a new email for validation?
• Change the existing account by reseting the password and send an email with a new confirmation token?
• Another suggestion?

Answer 1

In this scenario, I'd say that registering an account is like putting down a deposit. You've basically staked a claim to that user account. I would give the confirmation tokens an expiry time - say, three days or so. If a second user tries to register an account that conflicts, check whether the user it conflicts with is verified, and for unverified users, check whether their token is expired.

• If there's a verified user with that name, tell them "sorry, that username is taken".
• If there's a user who has yet to verify...
  • If their token is expired, then delete it all and give the new user the name, generating a new verification token for them.
  • If their token is still active, then the new user can't have the name. It's up to you whether you just say "that username is taken" or maybe let them know that it's not verified and may be up for grabs sometime soon. I'd probably avoid confusing the users with that much detail, and just say it's taken.