Hey,
I am working on a website's registration page and have created a verification process to verify a user account by sending an email to the newly registered user. I have found multiple tutorials which pass the new user's userId from the aspnet_membership / aspnet_user
tables to the querystring in the verification link which is sent to the email address.
I feel like this may present a security issue, but I have seen multiple tutorials use this method:
Is it against best practices to pass the userId in the verification link which is emailed to a new user?
Should a random verificationId be passed instead? A guid that is created when the user is created, but which is not the userId? (e.g. insert a "VerificationGuid" into my custom userProfile table (I did not use aspnetmembership's built in
user profile table) upon user creation).
Just because a user account is verified does not mean they are approved by an admin - I have modified my DB to set a IsEmailVerified bit field to T or F based on whether they have clicked the verification link.
Heres an idea..send the email with the link but also add a verification id (which is not part of the link) which they will need to type in when they click the link to complete the verification. Then you can match the userid with the verification code
Please mark the post as answer if this helped.
"Until Lions Have Their Historians, Tales of the Hunt Shall Always Glorify the Hunter"
If security is a primary concern an extra step for the user will not make much of a difference. Besides the user does not have to copy and paste the code, they can just type it in.
Defensive programming :-)
Please mark the post as answer if this helped.
"Until Lions Have Their Historians, Tales of the Hunt Shall Always Glorify the Hunter"
Marked as answer by ecer4780 on Feb 21, 2013 02:14 PM
I can't see how it would be much of a concern as the account would be disabled in the first instance anyway, however if you feel that this is still an issue then use the either the approach above with a verification number in an e-mail, or generate a new
guid and store it next to the userid in another table in your database until the account is activated and then delete the entry.
Hope this helps
If this fixed your issue then please 'Mark as Answer'
I am going to continue using a the Guid userId in the verification link query string
I am not going to create another validation Id. When users navigate to the verification link - a field called IsEmailVerified (bit) is set to true in my UserProfile table (custom user profile table). The admin is then shot an email when a user successfully
verifies their email the first time.
The admin then contacts and verifys the user's identity to determine whether the user should be approved. The admin manully approves the user's account and sets their role. The approval action will send an error message if the user has not verified their
email address.
In the user admin screen I have two fields: Is User Approved? Is Email Verified? - the latter field is read only. Admins who try approving an unverified account receive a message saying user has not verified email. If email is verified, then the admin can
approve account and assign a role.
After 48 hours accounts with unverified email addresses are deleted. It is stated on the registration page that users have 48 hours to check their email and verify the account.
ecer4780
Member
10 Points
69 Posts
Registration Page and User Verification Email
Feb 21, 2013 01:04 PM|LINK
Hey,
I am working on a website's registration page and have created a verification process to verify a user account by sending an email to the newly registered user. I have found multiple tutorials which pass the new user's userId from the aspnet_membership / aspnet_user tables to the querystring in the verification link which is sent to the email address.
I feel like this may present a security issue, but I have seen multiple tutorials use this method:
http://www.asp.net/web-forms/tutorials/security/admin/unlocking-and-approving-user-accounts-cs (step 3: approving users by verifying their email address)
Is it against best practices to pass the userId in the verification link which is emailed to a new user?
Should a random verificationId be passed instead? A guid that is created when the user is created, but which is not the userId? (e.g. insert a "VerificationGuid" into my custom userProfile table (I did not use aspnetmembership's built in user profile table) upon user creation).
Just because a user account is verified does not mean they are approved by an admin - I have modified my DB to set a IsEmailVerified bit field to T or F based on whether they have clicked the verification link.
ammd
Participant
1349 Points
257 Posts
Re: Registration Page and User Verification Email
Feb 21, 2013 01:13 PM|LINK
As long as the userid you are sending is something like a Guid that is not an issue.
ecer4780
Member
10 Points
69 Posts
Re: Registration Page and User Verification Email
Feb 21, 2013 01:20 PM|LINK
Yes, I am using the Guid UserId field from the aspnet_Users and aspnet_Membership tables.
Why is it not a problem to use the userId which is a Guid?
Anaksunamun
Contributor
2774 Points
515 Posts
Re: Registration Page and User Verification Email
Feb 21, 2013 01:21 PM|LINK
Heres an idea..send the email with the link but also add a verification id (which is not part of the link) which they will need to type in when they click the link to complete the verification. Then you can match the userid with the verification code
"Until Lions Have Their Historians, Tales of the Hunt Shall Always Glorify the Hunter"
ecer4780
Member
10 Points
69 Posts
Re: Registration Page and User Verification Email
Feb 21, 2013 01:31 PM|LINK
That would add an extra step for users many of whom don't know how to copy/paste...
What value would the verification id (which is required to be entered on /Verification.aspx?ID='your Guid goes here') add to the verification process?
Thank you for bearing with me, this is my first ASP.net web form app.
So you have no issues passing the userId which is of Guid type (from the aspnet membership provider)?
Anaksunamun
Contributor
2774 Points
515 Posts
Re: Registration Page and User Verification Email
Feb 21, 2013 01:37 PM|LINK
If security is a primary concern an extra step for the user will not make much of a difference. Besides the user does not have to copy and paste the code, they can just type it in.
Defensive programming :-)
"Until Lions Have Their Historians, Tales of the Hunt Shall Always Glorify the Hunter"
ecer4780
Member
10 Points
69 Posts
Re: Registration Page and User Verification Email
Feb 21, 2013 01:40 PM|LINK
Ok, and security wise there is no concern with passing a Guid ProviderUserkey (userId) through the querystring on verifiaction.aspx?
ammd
Participant
1349 Points
257 Posts
Re: Registration Page and User Verification Email
Feb 21, 2013 02:49 PM|LINK
I can't see how it would be much of a concern as the account would be disabled in the first instance anyway, however if you feel that this is still an issue then use the either the approach above with a verification number in an e-mail, or generate a new guid and store it next to the userid in another table in your database until the account is activated and then delete the entry.
Hope this helps
ecer4780
Member
10 Points
69 Posts
Re: Registration Page and User Verification Email
Feb 21, 2013 07:02 PM|LINK
I am going to continue using a the Guid userId in the verification link query string
I am not going to create another validation Id. When users navigate to the verification link - a field called IsEmailVerified (bit) is set to true in my UserProfile table (custom user profile table). The admin is then shot an email when a user successfully verifies their email the first time.
The admin then contacts and verifys the user's identity to determine whether the user should be approved. The admin manully approves the user's account and sets their role. The approval action will send an error message if the user has not verified their email address.
In the user admin screen I have two fields: Is User Approved? Is Email Verified? - the latter field is read only. Admins who try approving an unverified account receive a message saying user has not verified email. If email is verified, then the admin can approve account and assign a role.
After 48 hours accounts with unverified email addresses are deleted. It is stated on the registration page that users have 48 hours to check their email and verify the account.
homertechnol...
Member
228 Points
57 Posts
Re: Registration Page and User Verification Email
Feb 21, 2013 07:52 PM|LINK
ok this is an answered post. However,
create a new guid and add in a profile and send this id to verify the user
look at this tutorial,
http://imar.spaanjaars.com/572/approving-users-and-assigning-them-to-roles-after-they-sign-up-for-an-account
thanks