1

I'm currently working on a small website and my customer is very concerned with privacy issues.

I'm implementing a user registration with common email verification, i.e. when a user wants to register he needs to provide an email address and an email containing a verification link is sent to this address.

In the registration form, I'm doing the usual form validation. If the username - which can be chosen freely - is already in use, a message is displayed saying so. My first thought was to do the same for the email address, because this one also should be unique across the system.

But under some circumstances, even the information if some person is registered at the site might be private. But now, if someone would like to know if some other person is registered and if he would know that other person's email, he could simply try to register a new user with this known address and the error message would tell him that this other person is already registered.

I have one idea how to solve this (I will post it as self-answer) but I would like to know, if 1) this solution has any other flaws and 2) if there are other possible solutions for this situation.

Thanks.

MartinStettner
  • 28,719
  • 15
  • 79
  • 106
  • If privacy is of such importance; why is email verification necessary and desirable? – Williham Totland Nov 15 '11 at 10:00
  • Basically to ensure, that every person is registered only once. Of course it's not difficult to get more than one email address, but at least it would prevent the easy creation of some hundreds of accounts. Also we want to be able to contact the users per email. – MartinStettner Nov 15 '11 at 10:09

2 Answers2

3

So this is the solution I've thought of. Please comment if you detect any problems with it :)

If a new user uses an existing email address, I will simply display the "normal" success message saying that a email with the link has been sent to the given address.

Then an email would be sent to this address saying, that someone tried to register a new user with this address, that this address is already in use and can only be used once (basically, the validation error message will only be sent to the email address and not to the web browser).

MartinStettner
  • 28,719
  • 15
  • 79
  • 106
  • 3
    That's probably you only way around it - also worth looking at placing some human verification logic e.g. image verifictaion, to prevent bots flooding your system with registration requests. – ChrisBD Nov 15 '11 at 10:07
  • 2
    Remember to make password reset mechanisms use the same logic -- always report success ("Check your email") on the Web form and then send a message explaining the success or failure ("Someone asked to reset the password on your account even though you don't have one.") to that email address. – npdoty Nov 16 '11 at 04:24
3

Have you considered choosing to not deal with it at all?

There are a number of ID providers about; and using a similar method to the Stack Exchange family of sites might be more appropriate for your case.

Relegating ID management to an external provider is quite easy, and is easily more secure than having to deal with passwords, emails, user uniqueness, etc. yourself.

Additionally, most ID providers will allow you to access the registered user's email address, so that's not likely to be a concern.

Williham Totland
  • 28,471
  • 6
  • 52
  • 68