email activation code - need brainstorming

[Badaboom]

I guys

 

I need some guide lines on programing some part of my website. Actually I dont need anyone to provide me with any scripts just to help me out on how it is done elsewhere.

 

So here is the thing, I need a page for registration and another page when the users are requesting a forgotten password. Obviously I am using a database.

 

Obviously, like elsewhere, i am creating an activation code which it is sent by email, this part is good. So my question is where do you keep the activation code. The searches I made, was some of them are keeping them on the registered table others are creating a temporary table for new registration then transfer the values to the registered user table. So two tables, the actual registered one and a temporary table.

 

Eventhough both ways are good, I still need to found out the best, simpliest and secure way of doing so. Any other ideas or suggestions are most welcome.

 

My idea was to create a text file with all the infos. The text file would be named with the same activatecode (ex.: $activeCode.txt.inc) or something like that. If the text filename matches the one sent by email then we proceed with activation and is deleted when it is done. If not then... well you get the picture.

 

As for password reset, my issue is I don't want to send them a new password automatically. What I would rather is send a message saying something like this:

 

"You or someone else using your email to request a password change... If you did not request such demand then delete the email if you did request it then click on the following link... bla bla bla..."

 

So I still want to keep the old password if it's a false request. Would you create another field for password reset. If you need to revert their old password would you keep the old one on another field just in case? Where do we keep the activation code, another temporary table, registered table (final one) or even on a text file which is deleted once the password successfully been modified.

 

Another question about password, would encrypting the password with md5 be enough or would you use another encryption method?

 

As I mentioned, all I need is some brainstorming on the activation process. Am just curious on how you guys would do it and surely some of you would come up with problems using any of these techniques.

 

Thanks again

[WebStyles]

I would store the activation codes in a database, and also have a time limit on them (like if they're nor accessed within 30 minutes, they get disabled or deleted).

.txt files seems  insecure to me, since there are many downloaders out there that will easily download these files.

 

 

[rbrown]

I'm actually working on a script that does what you want. I found it on the internet and I have had to rewrite a lot of it because of undefined variables, poor coding practices and trying to make the code flow better. Too many pages...

 

What it does is it sends an activation email to the email they signed up with. And it stores their data in the registered users table but changes the verified field to 1 and it uses the MYSQL password function to encrypt the password.

 

If they aren't activated then it will delete the record after X amount of days. Also it has an admin function where you can purge the users if they haven't logged in X amount of days weeks, years.

 

As far as the password request... as soon as they request it for the email adress on file, it changes it and send them the new password. I'm going to change it where it sends them an email, then they have to click the link to change the password. Otherwise anyone could type in an email address and change their password and if they don't see the email, then you will get "I can't login" emails.

 

It also has logging (haven't played with that yet), IP banning, and you can set up multiple groups to protect different sections of your site. It will redirect them to which ever section when they login. However you need to set the groups up when you "install" the script. I'm adding a script to make it based on the the username and their redirection url, so I won't need to create more groups... that way I just add the redirection url and the script will verify if they can access it. The way it is now all the "user" group can access any of the other offices (if they know or guess the other urls). I'm using this part for a manual setup because is for multiple doctors offices, I need to create access for users /offices on the fly.

 

Hope this gives you some ideas... and there are scripts out there, (I tested probably about 50 of them before I found something close to what I wanted.) if you don't want to reinvent the wheel... you might only have to fix a flat...