#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2011
    Posts
    202
    Rep Power
    4

    Account Activation


    Hi, i have a few questions in relation to account activation, which i hope someone can help me with:

    01 - when a user creates an account, should we limit the time in which they can activate the account using the link in their email

    02 - if so, how should we handle the link if the token no longer appears in the database

    03 - is there anything i need to look out for in terms a user misusing the link below

    www.website.com/activate-account?id=1&token=bd335a180623348g6e40baf50df17a30a67d9ea4

    Thanks in advance for your help
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    Originally Posted by oo7ml
    01 - when a user creates an account, should we limit the time in which they can activate the account using the link in their email
    Yes, I would do it -- even though it's not absolutely necessary.

    Limiting the time will prevent "dead" accounts from being captured. Let's say somebody registered and completely forgets about it. In case of a time limit, the account will simply expire after a while. But if there's no time limit, it can still be activated at any point of time without the user knowing it.



    Originally Posted by oo7ml
    02 - if so, how should we handle the link if the token no longer appears in the database
    How's that possible? Why should the token be deleted?

    Anyway, simply say "invalid token" or "link expired" or whatever.



    Originally Posted by oo7ml
    03 - is there anything i need to look out for in terms a user misusing the link below

    www.website.com/activate-account?id=1&token=bd335a180623348g6e40baf50df17a30a67d9ea4
    The token must be unpredictable. So a time based "random" number would be a bad decision, because those can simply be tried out (the registration date can probably be found somewhere on the site). Use something like openssl_random_pseudo_bytes().
    Last edited by Jacques1; November 13th, 2012 at 01:26 PM.

IMN logo majestic logo threadwatch logo seochat tools logo