ansaurus

Question

Answer 1

+8 A:

I generally send a link that contains the userid, and the activation key. When they visit my activation script, if I find a match, I activate them.

When they register, I'll generate maybe 32 chars of upper/lower case alphanumeric characters and set it as the activation key. At this point, you can create a field called 'activated,' or you can assume the user is not activated if they have an activation key.

uid |        email       | key
------------------------------------------------------------
001 | [email protected] | e09141f3f5a17fed6222fc0279b9afdf
------------------------------------------------------------
002 | [email protected] | 
------------------------------------------------------------

When the user accesses the activation script, simply check for the provided key along with the provided id and if a match is found, erase the key from the user record on file (or update your boolean 'activated' field) and open the doors up.

If the provided email address doesn't exist, no loss. You can routinely remove all rows with keys after a month of inactivity.

Jonathan Sampson 2010-01-06 22:20:39

nice! thanks alot! btw for generating a key do you think md5(uniqid()); will be ok? dont want 2 users with same key :P

Martin 2010-01-06 22:31:21

md5 of the same uniqid will still be the same - you can just use prefix (maybe the md5 of their email) for uniqid, or use the 'more entropy' flag of uniq id

eCaroth 2010-01-06 22:38:17

smart. think i will go with md5(email); thx

Martin 2010-01-06 22:41:21

Martin, if you are going to hash the email then add a salt first

rick 2010-01-06 23:08:18

+1@rick: if you just hash the email, it will be easily bypassable as soon as anybody notices (not that it really matters, since anyone can create any amount of trash email addresses)

Lo'oris 2010-05-07 12:11:18

Answer 2

A:

There's no easy way to check if an email actually exists programatically. There are some ways (pinging the mailserver,etc) but none that are proven to work with every mailserver's setup. Forcing the user to activate their account via a link like you described is the best way to do it. Also, you may wish to have some kind of recurring script like a cron-job that removes un-activated members after a certain period of time (which would require another column in your table, timestamp).

This is useful because if a user signs up but never activates their account and deletes the email, and you are using their email as an id (just an example), they will never be able to complete the activation. Alternately, if they try to log in you can simply re-send the activation email to that address again.

Just make sure in the email you are specifying all the headers (reply-to, from, etc) so your email doesn't get flagged as spam.

eCaroth 2010-01-06 22:27:17

This method of checking if an email exists is not foolproof. It does not ensure the email belongs to the user.There exists disposable mail services, where you get a temporary email address. The user might use one of those services, activate their account, and login to the system. After a while, the temporary address is disabled.

Inf.S 2010-01-07 00:23:12

Answer 3

A:

One alternative to activation keys is to just send a generated password to the user email, if the user logs in he is activated (and of course, should be able to change the password to what he prefers).

Alix Axel 2010-01-06 23:39:03

ansaurus

tags:

views:

answers:

Send activation email to user

related questions