I am just setting out a new website that needs to be secured and I'm struggling to work out how to secure the registration pages. The registration process is complicated and involves them requesting a code to be posted to their address, so when they get
that letter they have to come back to the website and authenticate themselves with this one off code, then continue with the registration process to setup password etc. I don't want to set the auth cookie before registration is complete as they will be able
to get into the main part of the website without having setup a password etc, and also I don't want them to be able to register until we have checked their one off code. Do I need to use 2 different auth cookies? I haven't seen this before on other websites
I've worked on and it seems wrong somehow.
It depends on how you envisage your registration process to work.
You only needto worry about the authentication cookie at the end, when everything is in order.
So, assume you have a registration page where the user starts the process. Say your takes their name and email address. When they submit the oage, they get sent the email with the code and a link which send them to a new page called RegistrationConfirm or
something like that.
At this point they will probably get a record in the database which holds their email address , name and that one off code.
Nothing else happens at this stage.
When they click on the link in their confirmation email, they are sent to the second page and pass the data you need for the comfirmation in the URL as query string parameters or build a form and ask them to type their email address and one off code.
Now you check the code and if everything is in order you allow them to continue, take their password and so on. A lot of systems log the user in once the registration process is complete. If you do the same then simply set the authentication cookie at the
very last stage.
I think that makes sense. So having posted them a letter with a code on it, I could verify it on a non secure page, store in session that they had verified it, then allow them to setup a password on a different page but check the session variable to make
sure they can only setup a password if their code was verified? I don't want to log them in automatically so I guess I just won't set an auth cookie at this stage.
If they try and get to the setup password page without having been through the other page then the setup will fail because of the session variable not being set.
fosbie
Member
73 Points
67 Posts
Securing the Registration Pages
Feb 27, 2012 08:21 AM|LINK
I am just setting out a new website that needs to be secured and I'm struggling to work out how to secure the registration pages. The registration process is complicated and involves them requesting a code to be posted to their address, so when they get that letter they have to come back to the website and authenticate themselves with this one off code, then continue with the registration process to setup password etc. I don't want to set the auth cookie before registration is complete as they will be able to get into the main part of the website without having setup a password etc, and also I don't want them to be able to register until we have checked their one off code. Do I need to use 2 different auth cookies? I haven't seen this before on other websites I've worked on and it seems wrong somehow.
eidand
Member
522 Points
146 Posts
Re: Securing the Registration Pages
Feb 27, 2012 08:39 AM|LINK
It depends on how you envisage your registration process to work.
You only needto worry about the authentication cookie at the end, when everything is in order.
So, assume you have a registration page where the user starts the process. Say your takes their name and email address. When they submit the oage, they get sent the email with the code and a link which send them to a new page called RegistrationConfirm or something like that.
At this point they will probably get a record in the database which holds their email address , name and that one off code.
Nothing else happens at this stage.
When they click on the link in their confirmation email, they are sent to the second page and pass the data you need for the comfirmation in the URL as query string parameters or build a form and ask them to type their email address and one off code.
Now you check the code and if everything is in order you allow them to continue, take their password and so on. A lot of systems log the user in once the registration process is complete. If you do the same then simply set the authentication cookie at the very last stage.
Does that make sense ?
fosbie
Member
73 Points
67 Posts
Re: Securing the Registration Pages
Feb 27, 2012 08:46 AM|LINK
I think that makes sense. So having posted them a letter with a code on it, I could verify it on a non secure page, store in session that they had verified it, then allow them to setup a password on a different page but check the session variable to make sure they can only setup a password if their code was verified? I don't want to log them in automatically so I guess I just won't set an auth cookie at this stage.
If they try and get to the setup password page without having been through the other page then the setup will fail because of the session variable not being set.
Does that sound right?
eidand
Member
522 Points
146 Posts
Re: Securing the Registration Pages
Feb 27, 2012 09:06 AM|LINK
I don't see a problem with that, I would only use 2 pages to be honest, but if you need more than that than sure go ahead and use Session.
Don't forget that Session can expire though, so keep that in mind as well when writing the code.
fosbie
Member
73 Points
67 Posts
Re: Securing the Registration Pages
Feb 27, 2012 09:57 AM|LINK
Will do. Thanks.