tags:

views:

735

answers:

3
Q: 

Best way for confirmation email links to submit ID

I've got a web site sending someone a confirmation email.

Now in the email I would like to have a link the user has to click to confirm he received the mail.

I'd like to include the user's password (or some random code) into the confirmation address, so the user does not need to enter it by hand again, but if I do this, the password will end up in the browser history and the log files.

Is there any other way to get a confirmation link in an email to send information like a user name and password, without it ending up in the link somehow?
Is it, for example, possible to have an input form in an email and send the password as POST instead of GET?

+2  A: 

You can pass the GUID in the email. That particular GUID has to be associated with the user. Then when the user clicks the link the GUID is sent back to the application and can be captured as a QueryString. Extract the GUID an update that the user has been approved.

azamsharp  2008-10-17 16:04:06
+3  A: 

The way this usually works is that the confirmation email contains a link that includes a GUID (Globally Unique Identifier) of some sort. The GUID is associated with the user's account. When the link is clicked the web application simply sets the confirmation flag and logs the user in using the GUID rather than the usual username and password combination.

John Topley  2008-10-17 16:05:44
Its generally worth making sure the GUID is a "one time good deal" and that once the mission has been accomplished it prevents that GUID from working a second time.
Phil Bennett  2008-10-17 16:16:47
Very good point.
John Topley  2008-10-17 17:26:40
any reason to make the user type also type in his password or userrname on the return screen?
zsharp  2010-01-26 04:21:28
+1  A: 

Calculate a hex digest (e.g. md5) based on the user's id and the current time. Persist this code to a database or write a file with it as the filename, and include the user's ID and email address.

Set up a http handler (cgi, php, servlet, etc...) to receive GET requests based on a URI that looks something like "/confirm_email/{hexdigest}" or "/confirm_email.php?code={hexdigest}"

When a user needs to confirm their email, send a link to the above servlet containing the digest.

When someone links to this URI, retrieve the db record or file with the matching digest. If one is found the email address contained is now verified.

If you want to make it more robust: When a user verifies their email, change the hex digest to just be a hash of the email address itself with no salt. Then you can test if someone's email has changed and needs to re-verify.

Lex  2008-10-17 16:12:57

related questions

I ALMOST understand how email works, but I'm missing something.
Sending Email in .NET Through Gmail
MS hotfix delayed delivery.
How to send email from a program _without_ using a preexisting account?
Email SMTP validator
Maximum length of a MIME Content-Type header field?
If email is not the answer then what is?
Accessing an Exchange Server without Outlook
Recommendations for a .NET component to access an email inbox
Email queueing in php
How do I open the default mail program with a Subject and Body in a cross-platform way?
How do I send a file as an email attachment using Linux command line?
Read from .msg files
What was your biggest mistake involving programmatically sending email?
Good email service for bulk emailing
parsing raw email in php
Is there any wiki engine that supports page creation by email?
Sending emails without looking like spam
What's in your .procmailrc
Why won't Entourage work with Exchange 2007?
Can I use JavaScript to create a client side email?
E-mail Notifications
Is a "Confirm Email" input good practice when user changes email address?
MAPI and managed code experiences?
How do you make sure email you send programmatically is not automatically marked as spam?