Reputation: 647
How can I make a user registration confirmation email secure?
I have written a simple PHP user system where the user submits a user name, password, and email via an html form. I hash the password and add everything to a database. In the db table there is a bit field to say whether the account is activated or not. Now the question is, what exactly do I write that creates a registration confirmation email? How do I generate a link that registers this particular user without exposing the system behind it?
This would be the wrong way
Please click this link to complete registration:
www.mysite.com/app/user?register=1&user=thisUser
What am I not thinking of here? How do I make this secure?
Upvotes: 1
Views: 148
Answers (1)
Reputation: 519
You could generate a random personal key for every user and insert it into the database. Than the confirm-link could look like this:
Click here to confirm:
http://yourwebsite.com/?confirm=1362172183
Than you can check if there's set a get value of 'confirm' and if it exists you can delete the entry in the database and insert something like 'confirmed'. Then you can check if it was confirmed.
Upvotes: 1
Related Questions
- How can I prevent SQL injection in PHP?
- How can I sanitize user input with PHP?
- How do I make a redirect in PHP?
- Security considerations for JavaScript/PHP registration email confirmation workflow
- FOSUserBundle: how to allow registration, confirmation but not activation?
- Symfony2 FOSUserBundle disable both, email confirmation and user on registration
- Secure account registration
- Php Confirmation email does not send
- How can I do member registration confirmation?