2

I'm currently implementing an invite system for a website. The website is publicly accessible so anyone can join but the idea here is that when the user registers it will automatically link them up with their friends who are already on the site should they use the code.

Now, I've decided that should someone send out an invite it should not be tied to the email address it was sent to. As the user may wish to register with a different email account. I myself have several which I use for different purposes.

In making this decision though it means that the only identifier is the code itself. The code is alphanumeric and ten characters long so there's a good chance it could be guessed and links could be created between users that shouldn't be there.

I can't see any alternative other than having a second key for the user to enter when retrieving the code that only they know about.

Does anyone have any other suggestions?

diggersworld
  • 12,770
  • 24
  • 84
  • 119
  • [Project Euler](http://projecteuler.net) has such a system. When you create an account, they provide you with a "friend key". It looks like `45596488648154_d34245463586ab124534b6234a2d579e`. The good thing is, the user can change that key and ask for a new (random) one. – HamZa Nov 12 '13 at 09:09
  • Interesting, so when you send out an invite I assume the retrieve URL contains that rather lengthy key and then the site knows who to link to. – diggersworld Nov 12 '13 at 09:12
  • Well as an user you can give that friend key to other users. For example, I'm [chatting here on SO](http://chat.stackoverflow.com/rooms/11/php) and found an interesting person. I give him my friend key say `45596488648154_d34245463586ab124534b6234a2d579e`. After he uses the friend key we will be friends. There is a problem: SO chat is *public* so anyone checking the transcript (even after a few weeks or ...) could add me. So the solution to that is to generate a new random friend key. The old one "expires" and they could not add me with it -- They will need the new one. – HamZa Nov 12 '13 at 09:17
  • Okay, I'm thinking that I could implement a solution in a way that the friend key is a private UUID for the user. Then when an invite is sent out the retrieval URL contains both the UUID and the invite code. This would be a lot tougher than just the single invite code. – diggersworld Nov 12 '13 at 09:24
  • If you have let's say 100 milion codes at any time, the chance of guessing the code is 1 to 36561584 if I'm counting right. – Marek Nov 12 '13 at 09:43
  • Why arent you just either manage the invite list via an index of keys. if you generate an MD5 key it can never be duplicated. You can save the inviter user and any other data you want associated with the invite key. Once the key is used delete the db row. Another solution is doing base64 encode on the inviter email address and look it up once the user uses it. – Alon Carmel Nov 19 '13 at 12:24

0 Answers0