Best way for confirmation email links to submit ID
Asked Answered
S

3

1

I've got a web site sending someone a confirmation email.

Now in the email I would like to have a link the user has to click to confirm he received the mail.

I'd like to include the user's password (or some random code) into the confirmation address, so the user does not need to enter it by hand again, but if I do this, the password will end up in the browser history and the log files.

Is there any other way to get a confirmation link in an email to send information like a user name and password, without it ending up in the link somehow?
Is it, for example, possible to have an input form in an email and send the password as POST instead of GET?

Surtax answered 17/10, 2008 at 16:0 Comment(0)
G
6

The way this usually works is that the confirmation email contains a link that includes a GUID (Globally Unique Identifier) of some sort. The GUID is associated with the user's account. When the link is clicked the web application simply sets the confirmation flag and logs the user in using the GUID rather than the usual username and password combination.

Goaltender answered 17/10, 2008 at 16:5 Comment(2)
Its generally worth making sure the GUID is a "one time good deal" and that once the mission has been accomplished it prevents that GUID from working a second time.Ming
any reason to make the user type also type in his password or userrname on the return screen?Hollo
I
5

Calculate a hex digest (e.g. md5) based on the user's id and the current time. Persist this code to a database or write a file with it as the filename, and include the user's ID and email address.

Set up a http handler (cgi, php, servlet, etc...) to receive GET requests based on a URI that looks something like "/confirm_email/{hexdigest}" or "/confirm_email.php?code={hexdigest}"

When a user needs to confirm their email, send a link to the above servlet containing the digest.

When someone links to this URI, retrieve the db record or file with the matching digest. If one is found the email address contained is now verified.

If you want to make it more robust: When a user verifies their email, change the hex digest to just be a hash of the email address itself with no salt. Then you can test if someone's email has changed and needs to re-verify.

Inutility answered 17/10, 2008 at 16:12 Comment(0)
D
2

You can pass the GUID in the email. That particular GUID has to be associated with the user. Then when the user clicks the link the GUID is sent back to the application and can be captured as a QueryString. Extract the GUID an update that the user has been approved.

Devitrify answered 17/10, 2008 at 16:4 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.