tags:

views:

43

answers:

3
+1  Q: 

How do I resemble the typical "confirmation of account" procedure seen in multiple websites?

I want to resemble the typical "confirmation of account" procedure seen in multiple websites. When a user registers an email is sent to him with a confirmation link. Once the user goes to that confirmation link its account gets confirmed. Don't worry about the email sending process. The thing is that I need to generate a URL to which the user can then enter to get his new account confirmed. This page will need to receive some parameters but I don't want the url to be something like .../confirmation?userId=1 . I want it to be an ecrypted url to avoid abuses, is this possible? So far, I have something like this:

 public class CancelReservationPage extends WebPage{

 public CancelReservationPage(PageParameters pageParameters){
  // get parameters
  // confirm account
  // etc..
 }
}

What's next?

Thanks!

+1  A: 

You don't need encryption, better making your parameter totally agnostic. Just generate a random string, for example 12 char long, that you store in DB in the user table.

Damien  2010-09-11 22:57:34
+1  A: 

Pretty simple:

  1. before sending the email, generate a unique key (a series of characters, the easiest would be a GUID)
  2. store this unique key in the database and link it to the associated user account
  3. include this key as a parameter in the account confirmation URL sent in the email
  4. in the account confirmation page code, check the database to see if the received code is genuinely generated by your code
  5. if the key is in your database then activate the account
CyberDude  2010-09-11 22:59:39
+1  A: 

Aside from the solutions with storing unique key in the DB, there is a more convenient but perhaps less secure method (vulnerable to disclosure of the secret key and breaking of the hash).

Generate a URL containing userId and hash(userId + secretKey), where secretKey is an unique key of your application and hash is something like SHA-1. So, malicious person can't compute the hash unless he knows the secret key, and you can validate the confirmation request by comparing incoming hash with the newly computed one.

SHA-1 can be computed using java.security.MessageDigest or Apache Commons Codec's DigestUtls.shaHex().

You may also include an expiration date to make your confirmation link valid for the limited time.

axtavt  2010-09-12 11:10:51

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java