Is it safe to use my UserId Guid as my email confirmation link?

3
votes

I want to make an email confirmation registration, so that when the user registers he or she gets an email with a link to confirm it. The link being something like: www.site.com/confirm?id=34398df809as8df9 and then matching that with the UserId in the database from the standard aspnet membership provider. Is using the UserId as the guid being passed to email pose any sort of vulnerabilities or security threat?

3
c#asp.netasp.net-mvc-3
I think a keyword useful here is "nonce".user166390

3 Answers

7
votes

Is the GUID the only think in the link? If so, that's absolutely not secure. It means that once an attacker has anyone's ID (e.g. by finding an old email) they can reset the user's password whenever they want.

A password reset link should at least include a single-use, time-limited token.

4
votes

I would definitely NOT be using primary keys from my database in anything that goes outside the system. Create a one-time key specifically for the registration loop and then invalidate it after the registration is complete.

1
votes

In my opinion that's not safe and it can be misused (though not very easy but still..!). You should have confirmation link attached with a timestamp embedded with time of email sent and encrypted with some custom logic which will contain a computed hash of user_id as well as timestamp in a single string and something additional if you want to put in.

When you add a timestamp you can add a validation that this confirmation link has to be used in 24 or 48 hours or else you have to generate a new one.

Up to you but plain Guid won't be a good idea.