0

I'm developing registration wizard and faced with issue of robust email validation algorithm at the moment.

  1. After we get user specified information like first name, password, email we should save this info to DB. Lets also say we have appopriate table for this strings.

  2. Next we generate some email verification token (just generated code that consists of bunch of characters and digits) and also save it to DB with some timestamp (for timeout capability).

So, here I am frustrated. One of my requirements for algorithm is opportunity to send token not only one time, but multiple times. I require this for reason what letter wouldn't be delivered to email or some technical issues on my side in result of that letter won't send.

So by this reason, lets return to first step and allow user fill registration form again. Now we have data that user just entered and previous data which stored in DB.

Should we replace information that existing in DB with new one?

Another one requirement is that email address is unique and will used as user's login. So we need transform above table with new one, what should accept one email two or more times in table.

Another one issue that has been dogging me for days is how can I remove unnecessary tokens from DB? Do I need to cron some job on night what goes thru tokens table and remove that tokens that is unwanted?

Improve this question
5
  • I hope you're hashing and salting the passwords. Commented Nov 29, 2011 at 14:38
  • @SLaks Yeah, sure I will use MD5 password hashes for storing passwords. I just writed an simple example in question. Commented Nov 29, 2011 at 14:40
  • 2
    MD5 is not a secure hash. Use bcrypt. Commented Nov 29, 2011 at 14:47
  • I suggest you don't allow the same user to register twice! It creates problems in managing it in your system plus annoys the user who has to fill in the form again. Commented Nov 29, 2011 at 16:59
  • @Simon So when user who has not verified his email should get message telling him what this email was already typed and user can't use it and should to enter another email? How can user request another tone oken to his email? Commented Nov 29, 2011 at 18:37

2 Answers 2

Reset to default
4

First of all, put requests for registration into a separate table from the membership table.

Second, when a user has registered, you create a token for validating the email address. If the user clicks the link that validates that token within X hours, you remove the token and create the user in the membership table.

If the user requests a new token, you just generate it and send the email message. If you overwrite the token in the DB, then obviously the link in the first email message will not work anymore, and that is fine -- the user can only validate the most recent token.

If the user did not click the link that validates a token within X hours, then automatically the registration request can get cleaned up and the user will have to re-register. You can indeed to this with a cron-type job.

I hope this helps.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

I have requests for registration in standalone table, but then remove it. Could you please explain pros and cons for that table? Another thing is that you told about requesting new token. Token is resended only then user has registered again! How can I have another ways to request another one token?
Right, the user cannot request a new token, he can only ask for a password reset after he is already registered...
Thanks Roy! But think about situation when some problems occured and message with token wasn't delivered to user. How can he request token again?
He probably can't... Unless you have a special link "re-request your token" where a user can fill in his email address. Then you can verify that he did indeed request a token in the last X hours, and you can re-send it. Otherwise he'll just have to re-register and you'll have to clean up his old request...
Do I need to put generated token into separate requests table we have told above?
|
1

Should we replace information that existing in DB with new one?

I'm not sure how this would happen given that you don't yet have an authenticated user. If you can identify that the user entering this information is definitely already in the DB then sure, update that information. However, given the fields you are taking I'm not sure how you could reliably know this.

Another one issue that has been dogging me for days is how can I remove unnecessary tokens from DB?

Given that you are using Sql Server, I would just create a nightly job to clear out the old tokens.

Hope this helps!

Improve this answer

1 Comment

Thanks akmad! About first question: notice that we have existing info about user in case that he was trying to register and then try it again.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.