Standard procedure for confirming email for a web app - php

I have created a web app that is almost finished. I need it to confirm new emails. I just want to know if the these are the right procedures for that, because I'm not familiar with this.
I create a new table called "confirmEmails" with only one column with uniqueId. A unique Id is created with PHP: uniqueid() which is created directly after a user hit the submit button. And the php script stores it on the table. An email is sent together with a link www.domain.com/confirmEmail.php?uniqueId=kushfpuhrufhufhfhuhfheriufhehu. I have an another php script called confirmEmail.php that gets the value if uniqueId through the link with $_GET['uniqueId'];(maybe I shall use post instead her). And now it stores the new email in table called user
Is it right procedures? Pls give me some feedback!

Your description says that you have only one column in your unique table. You need to associate the unique Id (token) with the specific user you validate. Otherwise a user could confirm a fake address using another user's unique id.
You could put the unique id in a column of the user table to make sure the right unique id used for activating an account.
Note: Another way would be to create a activation token from the user id and some secret in your configuration, such as sha1($userid . 'yourSecret'). With that you would not need to store additional data, but it is not possible to guess this token without knowing your secret.

That sounds like it would work fine. Seems like the standard now a days.

Related

Wordpress remove user registration for custom implementation

I am integrating a user verification feature into a plugin I am developing whereby a user must verify their email address by clicking a link sent to them.
It is based on code provided on Github
At the moment I create a 'temporary' user, then delete the user from the users table. Only after verification is the user added back into the users table.
Is there a way to disable the core user registration in Wordpress so that I don't have to delete the user, therefore it is never stored in the database until it is created by the verification code?
I am finding, quite naturally, the user IDs are skipping every one digit so that for example, a verified user has an id '1' then the next is '3'.
Thanks,
Leon
The standar way to do that is through a field in the table users that is set to true for example whenever the user have validated his email via your link.
And with this field you control that if the field is not validated you dont let them sign in on you website.
So in order to apply this you need to find the sections in your wordpress that control de sign in to put the restriction with this new field
I'm going to be more specific so you can remove the downvote...
Lets think for example that you have a field named email_verify which will just contain a 1 or a 0 if the email is already validated or not.
Then you have another field for example session_token with a sha1 or random token that must be unique for the link that will validate the email when clicking on it.
You need to have a php function that catches when someone enters that link and you do it by extracting the sha1 from the link as an url parameter and searching in your table for whoever have that session_token, when you find a record with this session_token then you turn your email_verify value to 1 meaning the email is already verified and then you turn null the session_token field so the link expires.

Laravel add additional information for user

I'm using Laravel for a little app. In this app I added the auth things of Laravel (verison 5.3), so I automatically got a possibility to register and log in.
So what I got now are a few controllers, 2 vies and a table users, with name, email and password and a unique auto incrementing primary key. What I want now, is to make the logged in user able to add additional information, like City, Street, Telephone, etc..
I don't want to make the user able to add this directly at register. What I want instead, is, that if the user is logged in, he can navigate to a view (lets say its reachable through the route /changeUserData. There, he can find a form. In this form, initally there is no data, he can enter everything (as I said, like City, Street, etc.) and save information. I'd like to save this information in another table in the db, called user_infos, with several columns containing City, Street, Telephone, etc. I'd like to be able to have this second table without a primary key, but with a foreign key - the primary key of the users table.
So the process would be, navigates to the view with the form /changeUserData. Then there is a lookup in the table user_infos, if the logged in user already saved information there. Therefore, I'd need to look up the primary key of the user via the email-adress (unique as well), which is stored in {{auth::user()->email}}. If he didn't save any information there yet, then he gets a blank form, where he can enter everything. Clicking on save, makes a new entry in the user_infos table, containing all information entered, as well as the foreign key got from the users table. If there is already an entry for the user, the information should be already shown in the form inputs, and the user should also be able to edit the information and save the updated information.
I know this was much text. Basically what I need to know is how to really do the database things. So how can I lookup the primary key (respectively the column with the name id) with the email-adress. How can I then create a new row in the other table, containing this id and the information entered? And how can I get the information from the database then to add in to the form inputs? Basically what I found is Eloquent ORM, but I doesn't seem to understand it. Can anybody give me an example of how I can do this?
Please note, that I'm completely new to Laravel, as well as this hole Object - Model thing, this might be the reason, why I'm confused about it.
Have a look at this series https://laracasts.com/series/laravel-5-fundamentals
The Eloquent tutorial: https://laracasts.com/series/laravel-5-fundamentals/episodes/8
The directory structure will probably be a little bit different as it is a slightly older version of Laravel but it will get you started.
Hope this helps!

How to deal with user email change

I'm adding an option for my users to change their email, and I'm thinking what is the best way of doing it in a safe and fool-proof manner.. so far I have the following options
1) When user changes the email, system stores in a temporary column in the database and sends an email to the new one, requiring the user to click the link to confirm it and only then, change it (I would need 2 extra fields on my DB - temp_email and email_token)
2) When user changes the email, system would gather data from AccountID and New Email, encrypt it and send it to the new email.. when the user clicks the link, system decrypts it and changes accordingly.
I really like the second option, since it does not require saving extra fields on the database.. so my question is.. which one is a better solution? Or perhaps a third one..
I have two fields in my users table: recovery_hash and recovery_time that are updated when a user changes something. I put in a random hash and the current time.
I then send an email to that person (in your case, to their new address), and in the link is the hash (http://foobar.com/verify/randomHashG03sHere). The user clicks the link and it goes to a verify script on the server - which validates the hash and then checks to see if the current time is within an hour of the recovery_time. If both checks validate, I make the change, which, in your case would be updating the users email field with their new email address - which you could store in a separate table, or even in the same users table as a new_email field.
Since you're anticipating the user wanting to change things, you could just store the new email address in a separate table, such as users_temp.email and then update the users table with that new value after it's been validated.
You could just create another table to deal with temporary e-mail addresses (e-mail + AccountID + token + timestamp (possibly)).
I would highly avoid option 2. Keep all your data local on your server! In case someone breaks your encryption he can mess up your entire database or webservice. Especially credentials or email-addresses should never be outsourced. Option 1 is much more recommended, though the data could also be stored in a different manner.

Pass data from a browser to android

I've been trying for days to figure out how can I pass a unique ID from a browser to the android. This is scenario that I'm try to create:
User scans QR code.
QR code directs user an url (php file on server).
The php files does an insert with some info.
User is directed to android marktet
User downloads app and installs it.
Once installed the user is supposed to be matched with the inserted information (at point 3).
My problem is that I can't seem to get anything unique from the user without prompting them to insert something (e.g an email address) first in the URL and later once the app is installed to insert the same thing again (e.g same email address) so that the data can be matched.
I've read something about creating a custom cookie that are stored on the android with a certain unique ID that refers to the inserted information in the database. I've looked into that but couldn't find anything that could get me on my way.
Next to that I thought of letting the php file save an xml or any kind of file where I can store the ID that refers to the inserted data..This too seems to be impossible.
Does any know a way how I can get around this without prompting the user to insert something unique?
Additional information: I'm using a jquery mobile website
Thanks
I can give you a suggestion
If you are trying to send user information without user intraction and which can be unique I suggest you you can use IMEI number of device. Which is unique for each device.

Email activation security checksum

Ive been asking around for some feedback on my website and one comment I received was the following
"I signed up with email#email.com and managed to active my account with http://www.mysite.co.uk/activateuser.php?email=email#email.com
You need checksums to stop it."
Can anybody elaborate on this and how I can implement them into my activation?
In theory, If I was to create a row named "rand_key" in my DB and when a user registers a random key is stored in the column, could I then use this as the activation as opposed to the email? thus making it un guessable?
You need to create a unique user key, which shouldn't be related to user data. Usually you could do something like hashing the output of a random generator function in order to make it unique and use that. Then you point them to the link:
http://www.mysite.co.uk/activateuser.php?userid=generated-unique-hashed-key
This unique user key should be added as an extra field to the table where you store your user info, or related to the user in some other way. By keeping the key unrelated to user data you make sure nobody can discover a user's key and maliciously activate/do another action instead of your user.
Then you should test the user key on arrival for some conditions:
not authorized yet - authorize
authorized already - some error
wrong key - some error
Also, there should be an expiration date associated with your user, upon which you just deactivate the user along with his key.
The person means you can activate your address by going to that url and simply putting the email address in thr url. You could do this without actually getting the activation email.
By using a checksum, you force thr user to click the link. E.g.
Activate.php?email=aaa#bbb.com&check=A1234b23
At the time of sending the email you would geneate a random code. Store this in your database somewhere. Append it to the url the user is given. When the user clicks the link, you check that the code matches the code stored for that email address. If it matches, validate the email. Else do not.
In theory, If I was to create a row
named "rand_key" in my DB and when a
user registers a random key is stored
in the column, could I then use this
as the activation as opposed to the
email? thus making it un guessable?
Yes. Keep in mind that you don't necessarily want random as much as you want unique (in order to avoid two email addresses accidentally getting the same activation code).
You could do something like:
$key = mt_rand().'-'.uniqid('', true);
echo 'http://mysite.com/activate?key='.urlencode(base64_encode($key));
That would be tough to guess and would be guaranteed unique.

Categories