What should a verification email consist of?
Clash Royale CLAN TAG#URR8PPP
up vote
10
down vote
favorite
Right now I'm generation a 25 character string stored in the database that can only have a 1 time use and expires 30 minutes after user registration.
http://test.com/security/activate/ZheGgUNUFAbui4QJ48Ubs9Epd
I do a quick database lookup and the logic is as follow:
If the account is not activated AND if the email was not verified AND the validation code is still valid, activate the account, mark the email address as verified and mark the validation code as used.
Every 72 hours for example it would flush expired and used validation codes.
This is in order to tell the user that the activation link clicked has expired for example if he look at his email the day after and try the link.
Should I include the user UUID in the url? Do I need to include something else?
I thought about making sure the IP address on the registration form match the IP address of the request when the activation link is pressed, but for me I mainly read my emails on my cellphone for this kind of stuff so it would be a pain for UX.
EDIT
After reading Daisetsu's answer below, I would also send the user a "cancel" link that would flag the original IP for the system to watch like so:
http://test.com/security/cancelActivation/ZheGgUNUFAbui4QJ48Ubs9Epd
authentication email
New contributor
add a comment |Â
up vote
10
down vote
favorite
Right now I'm generation a 25 character string stored in the database that can only have a 1 time use and expires 30 minutes after user registration.
http://test.com/security/activate/ZheGgUNUFAbui4QJ48Ubs9Epd
I do a quick database lookup and the logic is as follow:
If the account is not activated AND if the email was not verified AND the validation code is still valid, activate the account, mark the email address as verified and mark the validation code as used.
Every 72 hours for example it would flush expired and used validation codes.
This is in order to tell the user that the activation link clicked has expired for example if he look at his email the day after and try the link.
Should I include the user UUID in the url? Do I need to include something else?
I thought about making sure the IP address on the registration form match the IP address of the request when the activation link is pressed, but for me I mainly read my emails on my cellphone for this kind of stuff so it would be a pain for UX.
EDIT
After reading Daisetsu's answer below, I would also send the user a "cancel" link that would flag the original IP for the system to watch like so:
http://test.com/security/cancelActivation/ZheGgUNUFAbui4QJ48Ubs9Epd
authentication email
New contributor
add a comment |Â
up vote
10
down vote
favorite
up vote
10
down vote
favorite
Right now I'm generation a 25 character string stored in the database that can only have a 1 time use and expires 30 minutes after user registration.
http://test.com/security/activate/ZheGgUNUFAbui4QJ48Ubs9Epd
I do a quick database lookup and the logic is as follow:
If the account is not activated AND if the email was not verified AND the validation code is still valid, activate the account, mark the email address as verified and mark the validation code as used.
Every 72 hours for example it would flush expired and used validation codes.
This is in order to tell the user that the activation link clicked has expired for example if he look at his email the day after and try the link.
Should I include the user UUID in the url? Do I need to include something else?
I thought about making sure the IP address on the registration form match the IP address of the request when the activation link is pressed, but for me I mainly read my emails on my cellphone for this kind of stuff so it would be a pain for UX.
EDIT
After reading Daisetsu's answer below, I would also send the user a "cancel" link that would flag the original IP for the system to watch like so:
http://test.com/security/cancelActivation/ZheGgUNUFAbui4QJ48Ubs9Epd
authentication email
New contributor
Right now I'm generation a 25 character string stored in the database that can only have a 1 time use and expires 30 minutes after user registration.
http://test.com/security/activate/ZheGgUNUFAbui4QJ48Ubs9Epd
I do a quick database lookup and the logic is as follow:
If the account is not activated AND if the email was not verified AND the validation code is still valid, activate the account, mark the email address as verified and mark the validation code as used.
Every 72 hours for example it would flush expired and used validation codes.
This is in order to tell the user that the activation link clicked has expired for example if he look at his email the day after and try the link.
Should I include the user UUID in the url? Do I need to include something else?
I thought about making sure the IP address on the registration form match the IP address of the request when the activation link is pressed, but for me I mainly read my emails on my cellphone for this kind of stuff so it would be a pain for UX.
EDIT
After reading Daisetsu's answer below, I would also send the user a "cancel" link that would flag the original IP for the system to watch like so:
http://test.com/security/cancelActivation/ZheGgUNUFAbui4QJ48Ubs9Epd
authentication email
authentication email
New contributor
New contributor
edited 13 mins ago
New contributor
asked 6 hours ago
HypeWolf
535
535
New contributor
New contributor
add a comment |Â
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
12
down vote
accepted
How are you generating the 25 character string which you include in the URL? Is it completely random, or is it based off the current time, or the users email? It should be random and not guessable.
You should make sure the verification page actually renders (not just that a GET request occurred). Browsers such as chrome (and antivirus programs) often load URLs without the user explicitly clicking them as either a pre-fetch or to scan for security reasons.
That could result in a scenario where a malicious actor (Eve) wants to make an account using someone else's email (Alice).
Eve signs up, and Alice received an email. Alice opens the email because she is curious about an account she didn't request. Her browser (or antivirus) requests the URL in the background, inadvertently activating the account.
I would use JavaScript on the page to verify the page actually rendered, and also include a link in the email where users can report that they did NOT create this account.
Awesome, thank you very much for your insight. The string is indeed generated from crypto.randomBytes function of NodeJS and the application already call a javascript function but not for the reason you stated. This is a thorough answer that highlight things I didn't think of.
â HypeWolf
6 hours ago
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
12
down vote
accepted
How are you generating the 25 character string which you include in the URL? Is it completely random, or is it based off the current time, or the users email? It should be random and not guessable.
You should make sure the verification page actually renders (not just that a GET request occurred). Browsers such as chrome (and antivirus programs) often load URLs without the user explicitly clicking them as either a pre-fetch or to scan for security reasons.
That could result in a scenario where a malicious actor (Eve) wants to make an account using someone else's email (Alice).
Eve signs up, and Alice received an email. Alice opens the email because she is curious about an account she didn't request. Her browser (or antivirus) requests the URL in the background, inadvertently activating the account.
I would use JavaScript on the page to verify the page actually rendered, and also include a link in the email where users can report that they did NOT create this account.
Awesome, thank you very much for your insight. The string is indeed generated from crypto.randomBytes function of NodeJS and the application already call a javascript function but not for the reason you stated. This is a thorough answer that highlight things I didn't think of.
â HypeWolf
6 hours ago
add a comment |Â
up vote
12
down vote
accepted
How are you generating the 25 character string which you include in the URL? Is it completely random, or is it based off the current time, or the users email? It should be random and not guessable.
You should make sure the verification page actually renders (not just that a GET request occurred). Browsers such as chrome (and antivirus programs) often load URLs without the user explicitly clicking them as either a pre-fetch or to scan for security reasons.
That could result in a scenario where a malicious actor (Eve) wants to make an account using someone else's email (Alice).
Eve signs up, and Alice received an email. Alice opens the email because she is curious about an account she didn't request. Her browser (or antivirus) requests the URL in the background, inadvertently activating the account.
I would use JavaScript on the page to verify the page actually rendered, and also include a link in the email where users can report that they did NOT create this account.
Awesome, thank you very much for your insight. The string is indeed generated from crypto.randomBytes function of NodeJS and the application already call a javascript function but not for the reason you stated. This is a thorough answer that highlight things I didn't think of.
â HypeWolf
6 hours ago
add a comment |Â
up vote
12
down vote
accepted
up vote
12
down vote
accepted
How are you generating the 25 character string which you include in the URL? Is it completely random, or is it based off the current time, or the users email? It should be random and not guessable.
You should make sure the verification page actually renders (not just that a GET request occurred). Browsers such as chrome (and antivirus programs) often load URLs without the user explicitly clicking them as either a pre-fetch or to scan for security reasons.
That could result in a scenario where a malicious actor (Eve) wants to make an account using someone else's email (Alice).
Eve signs up, and Alice received an email. Alice opens the email because she is curious about an account she didn't request. Her browser (or antivirus) requests the URL in the background, inadvertently activating the account.
I would use JavaScript on the page to verify the page actually rendered, and also include a link in the email where users can report that they did NOT create this account.
How are you generating the 25 character string which you include in the URL? Is it completely random, or is it based off the current time, or the users email? It should be random and not guessable.
You should make sure the verification page actually renders (not just that a GET request occurred). Browsers such as chrome (and antivirus programs) often load URLs without the user explicitly clicking them as either a pre-fetch or to scan for security reasons.
That could result in a scenario where a malicious actor (Eve) wants to make an account using someone else's email (Alice).
Eve signs up, and Alice received an email. Alice opens the email because she is curious about an account she didn't request. Her browser (or antivirus) requests the URL in the background, inadvertently activating the account.
I would use JavaScript on the page to verify the page actually rendered, and also include a link in the email where users can report that they did NOT create this account.
answered 6 hours ago
Daisetsu
3,114719
3,114719
Awesome, thank you very much for your insight. The string is indeed generated from crypto.randomBytes function of NodeJS and the application already call a javascript function but not for the reason you stated. This is a thorough answer that highlight things I didn't think of.
â HypeWolf
6 hours ago
add a comment |Â
Awesome, thank you very much for your insight. The string is indeed generated from crypto.randomBytes function of NodeJS and the application already call a javascript function but not for the reason you stated. This is a thorough answer that highlight things I didn't think of.
â HypeWolf
6 hours ago
Awesome, thank you very much for your insight. The string is indeed generated from crypto.randomBytes function of NodeJS and the application already call a javascript function but not for the reason you stated. This is a thorough answer that highlight things I didn't think of.
â HypeWolf
6 hours ago
Awesome, thank you very much for your insight. The string is indeed generated from crypto.randomBytes function of NodeJS and the application already call a javascript function but not for the reason you stated. This is a thorough answer that highlight things I didn't think of.
â HypeWolf
6 hours ago
add a comment |Â
HypeWolf is a new contributor. Be nice, and check out our Code of Conduct.
HypeWolf is a new contributor. Be nice, and check out our Code of Conduct.
HypeWolf is a new contributor. Be nice, and check out our Code of Conduct.
HypeWolf is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f197004%2fwhat-should-a-verification-email-consist-of%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password