Email Authentication ?

[Accurax]

Happy new year Chaps & Chapettes,

I have a membership system allready in place, and would like to make it so that the user must activate there acount by clicking on a link within a generated email that is sent after the registration process.

I cant seem to find all that much that is specifically relevant to this via google, and thought id as if anyone here could point me to a resource that may explain whats involved in acheiving this.

Thanks in advance

[taith]

1) they sign up, puts info into the database, deactivated, should also have an activation key
2) you'd want to look into the mail() function for the sending of emails. have a link in the email that uses the activation key to activate the account

[invincible_virus]

for security reasons.. also make sure that ur activation key is long and difficult to guess.

[Accurax]

Ok that makes sennse, i allready understand the mail() function .... its the deactivated / activated status that confuses me ?

[trq]

before you send the email you would generate a randowm key, store this within the database with the email address.

Send an email with a link to confirm.php?key=$key&email=$email

Then, in confirm.php query the database to make sure the email and key match.

[taith]

in your database, put a field for "active" varchar(1) default(0), and another "activekey" varchar(40)
then when you sign up, you put in info into database

[code]
<?
$key=randomkeys(40);
mysql_query("INSERT INTO users(`activekey`) VALUES('$key')");
mail();#have $key link sent to the user

function randomkeys($length){
$pattern = "1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
for($i=0;$i<$length;$i++) $key .= $pattern{rand(0,62)};
return $key;
}
?>[/code]

then on your activate page

[code]
mysql_query("UPDATE users SET active='1' WHERE key='$key'");
[/code]

[Accurax]

Ahhh, i see thankyou.... so once ive done that, i'll need to change all my later queries and sessions start criteria to only select users WHERE activekey='1', i presume.

Thanks matey, thats actually quite straightforward

[taith]

its easier to just put it into the login form ;-)

[code]
$password=md5($_POST['password']);
$result = mysql_query("SELECT * FROM users WHERE `username`='$_POST['username']' AND `password`='$password' LIMIT 1");
$row=mysql_fetch_array($result);
if($active==0) die("Account Not Yet Active");
[/code]

[Accurax]

[quote author=invincible_virus link=topic=120817.msg496010#msg496010 date=1167827254]
for security reasons.. also make sure that ur activation key is long and difficult to guess.
[/quote]

Would an MD5 Hash of there selected username be appropriate?

[taith]

yes, md5 gives you 32 character cypher, if you want more/less/more secure, use this...
[code]
function randomkeys($length){
$pattern = "1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
for($i=0;$i<$length;$i++) $key .= $pattern{rand(0,62)};
return $key;
}
$key=randomkeys(rand(32,40));
echo $key; #display purposes
[/code]

[Accurax]

to be honest the whole thing is only to ensure that people are putting in correct email addresses.... so ill just md5 hash the username as well as the password

[taith]

sure... thats up to you... using randomkeys() is just as easy :-)

[SharkBait]

Most sites I see just use the MD5 hash of the password.

[code]
<?php
if(isset($_GET['key'])) {
  $key = $_GET['key'];

  // check key against md5 hash that is store in the database (or whereever)
  if($key == $users['password']) {
    // Activate the account
  } else {
    // Keys don't match, go mental!
  }
}
?>
[/code]

[taith]

yes... you can md5 the password, use that... however... i suggest against that... putting the password out there only tells the users what type of encryption your using... and the less information you put out there about your encrypted passwords, the better.