[SOLVED] Activation email or send there password by email?

[Flames]

Well im making a registration script thats not the problem though. The problem is activating accounts. what do i do send them a random password? or make an activation page and send them a special link to use?

[bobbinsbro]

i've had both done to me numerous times, and i think i prefer to receive an e-mail with a link, as long as the activation page logs me in automatically (maybe add a couple of radio buttons saying "would you like to log in?" for those who don't) and redirects me to the main page onClick on a radio button (disabling javascript is for weaklings!  ) and add a "continue" button for the weaklings.

[Flames]

sounds like a plan, though what information do you usually put in an activation email, im thinking of putting the md5 password and maybe encoding the username, and on the activation page decode the username?

[Andy17]

As far as I remember, I took the sha1 of the password + some random characters and put it in my URL that I sent in the validation mail. Then I just check if that code exists in my temporary member table and if it does, that row is moved to another table. If it doesn't, the code is obviously invalid. Just what I did.

[bobbinsbro]

sounds like the way to do it. although i'm not sure you need sha1 if you salt the password string. md5 should be fine. actually, there'd be no real difference, only i dislike seeing long urls sitting in my e-mails. i know. i know. i'll go take my medication right away... .

 

and if you don't expect to have many users, you can probably put them all into the same table with an extra boolean column called "active". just make sure to run a clean-up every so often to delete un-activated users older than, say, 1 week.

[Flames]

yeah i have a part in my table called status which is 0 or 1 cause i thought this was how i was gonna do it.

But i got another question to make logging in more secure, should i use a secondary table which holds info of the logged in user, so my pages can check if the user should be logged in or if they've some how hacked in?

[bobbinsbro]

possibly... i dunno. on the 1 hand, it seems a little over-kill to me, but on the other, maybe you'll have content that really needs that extra protection. what kind of site is this gonna be?

 

i think i would consider doing this for a small handful of sensitive pages, but not for the whole site. consider that for this method of protection to be effective, you'd have to make an extra DB query + table look-up per user per page request. it doesn't amount to much if you don't have much traffic/users, but as the requests/user-base increase, so will the client waiting time. not that it won't happen anyway, but i believe this would get you to the point where you have to upgrade to a better host that much sooner.

 

this is just a guess, and not even a very educated one, so take it with a grain of salt (more like 3 lbs. of salt... ).

[Flames]

well, i don't think the protection required is going to be that necessary, as for my site, i dont know what im gonna do with it, i was thinking about maybe tutorials, or a game, but generally its for me. And seeing as its a free host that will probably rip the server apart.

But i don't think mine is secure at the moment, cookies a username and a password, any more tips on that?

 

[jjacquay712]

OK... heres some code, hope it helps.

 

<?php
for ($i = 0; i < 10; $i++) {
$random = $random . chr(rand(33, 58));
}

$user = "user"; //Your username

//email this string
$link = "yourpage.php?rand=" . $random . "&username=" . $user;

?>

[runnerjp]

ok surly sending a password in an email is a security issue, is it not?

 

i would stick with activation link

[Flames]

i guess it would be but you don't put the username in the email, so they cant login either of them.

but isnt cookies a security issue

[runnerjp]

well how about using an activation code that has to be manualy typed in? once done the user still has to enter a password and username to gain access!

[bobbinsbro]

i'm never registering for any of runnerjp's sites 

 

@flames: i thought you decided to go with andy17's method? if the password is salted and encrypted, i don't see why there should be any problem.

[runnerjp]

haha i do it by activation link

[Flames]

its done now thanks, although it always says its been updated even if it hasn't but seeing as registering isnt done yet im not bothered