+1  Q: 

Activation on site

Hello. I have been running my website for a few months now and occasionally I find my activation isnt great. After the user signs up, they will receive an email which has an activation link provided.

I have a few problems and want to improve this if possible. Firstly, the email sometimes doesnt arrive? Any reason for this? How can I stop it going into the junk mail?

Secondly, at the moment, the activation is their username and an md5 of their username. Is there a better way to do activations?

I'm always looking to improve and find better ways of doing things! Thanks for your time.

+1  A: 

Some emails will always end up in the trash folder. It's probably best to put up a notice so that people know to check there, and make it possible for the user to re-request the activation email.

Using the MD5 hash of the username is not a very good idea because anyone can automate that. At the very least add some salt before hashing it, or even better, use a completely unrelated random token saved in your database.

Matti Virkkunen
I have the notice up about checking trash but users still dont!I think the re-request the activation email is a fantastic idea though, hadn't thought of that.

First problem: Make sure your mail isn't spammy. Follow the default guidelines for setting up mail... things like making sure you've got your SPF records configured, your mail is well-formatted, doesn't include spammy words. I generally test against Gmail, Hotmail and a server running SpamAssassin to check mails I send out; examine the headers to see if you're triggering any serious anti-spam rules.

Second problem: You'll want to make sure that the user cannot guess what his activation key is (thus removing the need for receiving the email). An MD5 of the username is insufficient for this. However, if you salt the MD5 you can easily prevent people from generating the MD5's in an automated way (that's an open invitation for automated signups). Adding Salt refers to adding a large amount of pregenerated random data to your input before hashing it. That way, the attacker can't lookup the hash in a 'rainbow table', as he no longer knows what the input for your hash was. Of course, you could just as well use a randomly generated string, which would probably be easier.


Another look on user registration. Let yourself inspire at stackoverflow and use OpenId and you don't have to care about user registration.


You don't need to validate OpenId user via email. A user which signed up via Google or MyOpenId account is valid.

You don't have to care about questions if user is a bot? This servers did it already.

I have never got verification email from stackoverflow.

I considered adding this to my answer... however, if you want to send users an email every now and then, you'll still need to verify that the emailaddress they submitted to you is correct, whether they provided it manually or through their OpenID provider.OpenID solves the username/password problem, but not the emailaddress problem... unless I'm missing something here?
See my update comment.

For your second question, you may want to generate a random activation code and store it in a database. When the user clicks the activation link you could verify the code in the database using their e-mail address. This way a malicious user will have a more difficult time automating registration on your site.

$code = md5(uniqid(rand(), true));

If you're on a shared server, services like Yahoo are apt to label you spam. They want you to have a dedicated IP. It's almost impossible to get users to check the 1000 messages in their spam folders for your one activation message.

The MD5 hash is fine if you're hashing with a timestamp.

Keep this implementation, but supplement it with OpenID. That will take care of your Gmail and Yahoo users.

+1  A: 

Email doesn't arrive

First at all, you cannot really rely on mail. Never. Because you can't even know if it was received or read. A mail may be blocked as spam on server side, can be filtered on client side, or can just be lost or ignored.

There may be plenty of causes. For example, you may use e-mail authentication mechanisms. You may also start to check if there is reverse DNS for your domain.

Further, you may want to read some documentation and books to know how spam filters work. It will show you some obvious methods to reduce filtering of your mails, like sending mails in plain text instead of full-HTML, but also less obvious stuff like the words to use, etc.

If you have no choice and you must send mail, probably the most easy solution to prevent spam filtering would be to ask the users to add your domain to the list of safe senders. In practice, nobody will do it for you.

Activation through MD5

There is obviously a better way, since the one you implemented does not provide anything. If the activation is a hash from user name, you can as well just tell the users to calculate the hash themselves (thus avoiding all the problems with mails filtered as spam).

Normally, the users may not know what their activation code would be. It means that the activation code must be random or difficult to guess.

Generate a set of random characters, save them to database and send the code by mail. Then you would just need to validate the code against the one you keep in your database.


Yes, that's wrong. You shouldn't use MD5 for that.

The most popular way of do it is generating a rand code and saving it in the users table in the DB and send it by email as a GET parameter of the link.

About the emails, I would tell users to look in theit junk folders.