Securing the Registration Pages

I am just setting out a new website that needs to be secured and I'm struggling to work out how to secure the registration pages. The registration process is complicated and involves them requesting a code to be posted to their address, so when they get that letter they have to come back to the website and authenticate themselves with this one off code, then continue with the registration process to setup password etc. I don't want to set the auth cookie before registration is complete as they will be able to get into the main part of the website without having setup a password etc, and also I don't want them to be able to register until we have checked their one off code. Do I need to use 2 different auth cookies? I haven't seen this before on other websites I've worked on and it seems wrong somehow.

Re: Securing the Registration Pages

It depends on how you envisage your registration process to work.

You only needto worry about the authentication cookie at the end, when everything is in order.

So, assume you have a registration page where the user starts the process. Say your takes their name and email address. When they submit the oage, they get sent the email with the code and a link which send them to a new page called RegistrationConfirm or something like that.

At this point they will probably get a record in the database which holds their email address , name and that one off code.

Nothing else happens at this stage.

When they click on the link in their confirmation email, they are sent to the second page and pass the data you need for the comfirmation in the URL as query string parameters or build a form and ask them to type their email address and one off code.

Now you check the code and if everything is in order you allow them to continue, take their password and so on. A lot of systems log the user in once the registration process is complete. If you do the same then simply set the authentication cookie at the very last stage.

Does that make sense ?

Re: Securing the Registration Pages

I think that makes sense. So having posted them a letter with a code on it, I could verify it on a non secure page, store in session that they had verified it, then allow them to setup a password on a different page but check the session variable to make sure they can only setup a password if their code was verified? I don't want to log them in automatically so I guess I just won't set an auth cookie at this stage.

If they try and get to the setup password page without having been through the other page then the setup will fail because of the session variable not being set.

Does that sound right?

Re: Securing the Registration Pages

I don't see a problem with that, I would only use 2 pages to be honest, but if you need more than that than sure go ahead and use Session.

Don't forget that Session can expire though, so keep that in mind as well when writing the code.

Re: Securing the Registration Pages

Will do. Thanks.