How works registration confirmation in PHP with MySQL, token?

0
votes

I was thinking about this method:

  1. User enters username, password etc at registration form and clicks on submit
  2. I store the values in db (pw is hashed of course) and I generate a random string token variable for this user in database and set a variable false in the database meaning that the user's registration is not confirmed yet.
  3. I send the confirmation e-mail to the user's e-mail address: please confirm your registration here: domain.com/confirm.php?token=RANDOMSTRING where randomstring is the string which I have generated at registration when he clicks on submit. With this method I think the user cannot confirm anyone else registration, only his/her own registration.
  4. The user clicks on link in the e-mail, here I ask more data about himself (on domain.com/confirm.php?token=RANDOMSTRING website) adds more data about himself in the form and confirms the registration. And I set true a variable in db meaning the user registration is confirmed. (In the conform.php I check the token if it is exists in database)

Is it a good method??

1
phpmysqltokenregistration
That's the way many web sites handle registration. I don't see why you need to ask about it here. The devil, though, is in the detail.Tangentially Perpendicular
Is this academic code purely for learning, or for a production site?tadman
Generating a random "confirmation token" is pretty standard. What's the question here?tadman

1 Answers

0
votes

The obvious catch here is collisions for your RANDMONSTRING value (even though its unlikely with a large RANDOMSTRING). There's also a risk of an enumeration attack if validating the account starts a session or exposes any other information. You could avoid these by using a URL which includes both the users email and RANDOMSTRING and requiring a match on both before activation.