0

I am currently working on a big project and the client demands that everything need to be perfect and in standard way, especially in the case of security. There is a user registration session and I have to add email verification feature too.

I was doing email verification with the following method in all my projects.

  1. On registration, save the data to users table, with status (value of status column) as 0 and a generated random code to a column intended for that.

  2. Then send a link to the registered mail id with the random code ans user's id as get variables. Ex: http://site_address.com/verification_url.php?id=1&code=abc123xyz

  3. On verification page, this value of get variable ($_GET['code']) is compared with the random code saved in database for that user with passed id ($_GET['id'])

  4. If both the codes are same, status will be set to 1 and displays a successfully verifies message.

Please let me know whether there is a universally accepted methods for email verification (with guaranteed security). Also I would like to know the security limitations or issues of my method so that I can fix those.

AeJey
  • 1,447
  • 20
  • 40
  • Verification emails are fine, but include a `filter_var($email, FILTER_VALIDATE_EMAIL)` call, to avoid sending out verification messages to invalid email addresses, and use a Captcha of sorts. BTW: read the help of this site: this question is not a good fit – Elias Van Ootegem Jun 02 '14 at 08:59
  • 1
    You dont need to pass the user id unless your code can be guessed. Just match the code and check if it exists and its not expired. if yes, mark it verified. – Shiplu Mokaddim Jun 02 '14 at 09:00
  • 1
    @ELias Va: Sorry, I don't know any other place where I can ask for help on this matter. Also captcha and email validations are already present. – AeJey Jun 02 '14 at 09:02
  • @shiplu: Thank you. Will do it. :) – AeJey Jun 02 '14 at 09:03
  • 1
    And don't forget to clear the `verification code` field when a user successfully verified their EMAIL. – Jitendra Yadav Jun 02 '14 at 09:11
  • @Jitendra: Thank you. Will do it too. :) – AeJey Jun 02 '14 at 09:14
  • @AeJey: You already posted a [meta question](http://meta.stackoverflow.com/questions/258006/why-my-question-getting-close-votes) about this, no need to drag this out in the comments here. – Martijn Pieters Jun 02 '14 at 11:15
  • 1
    The universally accepted method of email verification: [a] if this is a public site, don't validate yourself - instead use oauth (like SO) and have them share an existing, verified email address [b] send an email which is what you are doing, and then make sure there is a time limit on the link [c] do you really need "accounts" on your site? If its an e-commerce service, people will allow guest access. – Burhan Khalid Jun 03 '14 at 05:17
  • See also: http://stackoverflow.com/questions/3794959/easiest-way-for-php-email-verification-link – Paul Jun 03 '14 at 06:58

2 Answers2

2

I wouldn't send the user id, otherwise your method works fine. Sending the user id you tell the outside world abit to much of your database/code design. Create strong hashes as code and a expiredate and you will be fine.

ztripez
  • 664
  • 6
  • 24
1

Please look on below, it may be help with you

  • create the activation link like

    http://www.hostname.com/verification_url.php?id=base64_encode($id)&code=base64_encode($code)

  • verification script

    <?php

if(isset($_GET['id'])&&isset($_GET['code'])){
  $id = base64_decode($id);
  # your database connection code here
  # get email id using $id for mailing purpose
  if($id!=NULL){
    # update the user status as active and send success mail
  }
  else{
    # sent failure mail
  }
}

?>
mikdiet
  • 9,859
  • 8
  • 59
  • 68
chinnavan
  • 77
  • 3