#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2013
    Posts
    6
    Rep Power
    0

    Email Verification in User Account System


    Hello everyone. I've been using a user register/login/edit system I found in this forums from here: forums.devshed.com/php-faqs-and-stickies-167/how-to-program-a-basic-but-secure-login-system-using-891201.html

    Though it states secure, there seems to be a problem. There is no provided email verification for registering or editing your email. I'm still new to PHP, and was wondering if anyone knew how to:

    -Add a Email Verification system into the register.php
    -Use the same email verification in edit_account.php

    Any answers are appreciated. Thanks in advance.
    ~Jake
  2. #2
  3. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2013
    Location
    Saint-Petersburg, Russia
    Posts
    240
    Rep Power
    29
    Hi, Jake!

    Adding email verification is not a tricky matter, but it could not be explained in a single line of code. At least it is bit more complex than login system itself.

    You need to generate some secret value for each user, for example md5(rand()) and store it into database along the user data.

    Then you need to send email to user asking him to enter this value on a dedicated form or following the link having this value in the attribute. Sending email could be done in several ways depending on framework and server setup you use.

    After user visits this form or this link you should check the passed secret value and if it equals to that stored in the database - mark the email address confirmed.

    However, if you could not write in PHP yourself, I fear this would not be easy matter to you

    Comments on this post

    • Jacques1 disagrees : This is extremely insecure.
    CodeAbbey - programming problems for novice coders
  4. #3
  5. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Nooo.

    If anybody can change the email address of any user account simply by confirming the new address, then it's trivial to take over other accounts once you've been able to gain access to the session or perform a cross-site request forgery attack. All you have to do then is to change the email address to your own address, confirm it, trigger the "I forgot my password" feature and reset the password.

    Also, depending on the system, rand() may only generate ~32,000 different values, and those values are simply derived from the system time and the process ID. This isn't secret at all.

    So, no, that's not how to do it.

    Confirming the email address upon registration and changing the address of a current account are two completely different things.

    When a new user registers, you simply wanna make sure that the email address actually exists and that the owner of the address confirms the registration. This is done by sending a strong random number to that address and have the user confirm it.

    When somebody tries to change the email address of an existing account, you want two things: You need to be sure that it's actually the user who did this request and not somebody else trying to take over the account. And you want a confirmation like above. The email address of an existing account isn't just a piece of personal data like the telephone number or something. It effectively determines the owner of the account. Because once you have access to the email account, you can reset the password by claiming you've forgotten it.

    So this is much more critical than validating a registration. You basically have two options: You can ask the user to enter their password along with the new address. That's the authentication part. After this, you validate the new address. Alternatively, you could send two strong random numbers to both the old address and the new address.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  6. #4
  7. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2013
    Location
    Saint-Petersburg, Russia
    Posts
    240
    Rep Power
    29
    If anybody can change the email address of any user account simply by confirming the new address
    Hm. I think I never wrote that email changing should be accessible to any user.

    Also, depending on the system, rand() may only generate
    It will do all right for person who have basic knowledge of PHP and is not engaged in development of top-secret application. mt_rand and adding salt to the hash, using hmac instead of md5 - these are only implementation details to which the developer may come in time.

    By the way
    As for initial question - I myself now prefer using authentication via Facebook or GMail instead of own-implemented. Storing both password and email of user, providing means to confirm email, to change either email or password in a secure manner - all these give me significant headache at the past - at the same time oauth allows users avoid remembering another passwords etc.

    Comments on this post

    • Jacques1 disagrees
    CodeAbbey - programming problems for novice coders
  8. #5
  9. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Originally Posted by rodiongork
    Hm. I think I never wrote that email changing should be accessible to any user.
    But that's what you do if you don't authenticate the request and merely validate the new address.



    Originally Posted by rodiongork
    It will do all right for person who have basic knowledge of PHP and is not engaged in development of top-secret application. mt_rand and adding salt to the hash, using hmac instead of md5 - these are only implementation details to which the developer may come in time.
    Nonsense. Sorry, but this is just wrong, and I'm getting tired of hearing this excuse.

    When your "security" can be broken by anyone at any time, then it's no security at all. It's not "a little bit of security" or "good enough for some people". It's nothing. Resistance to attacks is the whole purpose of security. Without that, the whole thing is pointless. It's like selling a car without an engine, claiming that this is just "an implementation detail".

    Also, who are you to decide that Jake's system isn't worth being secure? That's his decision.

    In fact, broken security can be even worse than no security at all, because people may think they're secure when they aren't. For example, we all know that standard emails are sent around as plaintext, so we act accordingly and simply not put any important data into them. But if we rely on some service to keep our emails secure while in fact it doesn't, then we have a problem. Just ask the users of Lavabit.

    If you're not willing to invest some effort into providing proper security, then rather do nothing at all and say that outright. Don't make promises if you don't plan to keep them.



    Originally Posted by rodiongork
    By the way
    As for initial question - I myself now prefer using authentication via Facebook or GMail instead of own-implemented. Storing both password and email of user, providing means to confirm email, to change either email or password in a secure manner - all these give me significant headache at the past - at the same time oauth allows users avoid remembering another passwords etc.
    That sounds like advice.

    Personally, I wouldn't wanna give Facebook or Google the keys to my life. But this is at least an honest solution, so people get what they see and can decide for themselves.
    Last edited by Jacques1; November 23rd, 2013 at 07:54 AM.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".

IMN logo majestic logo threadwatch logo seochat tools logo