Validate & Confirm E-Mail Address

[Wm. Scott Miller]

Hello all:

I'd like some advice on the best way to validate and confirm an e-mail
address entered during a registration process. What we are thinking of is
something like the following:

1. User comes to our web site and validates themselves as a member of our
database.
2. User creates a user name and password to be used to log in to our site.
3. User is required to enter a valid e-mail address to finalize
registration.
4. Registration process is suspended until...
5. Server sends e-mail to supplied e-mail address with a link in it that
the user must click on to continue the registration process.
6. User clicks on link and is taken to a log-in page where they will enter
the information supplied in #2
7. Once they have successfully logged in (which also confirms either e-mail
address), they are fully registered and ready to go.

Reason we decided on the above is because of:

1. If e-mail were to be intercepted (either maliciously or by typo by
user), no one but the registering user could confirm e-mail because they
must login with link to confirm e-mail.
2. We need an e-mail in case the user forgets their password so it must be
active and valid for use.

Is there any security holes in the plan?

Additionally, has someone done something like this and have code and/or
suggestions from your experience?

Thanks for all the help,
Scott

 

[Peter Blum]

Hi Scott,

I use the same technique on my site (www.peterblum.com). Feel free to
download something from the site to try it out. (There are free ASP.NET
controls so you might actually get something you like.)

The advantages are clear. Your database knows when a user has not finished
registration. So other functions that use your registrations can skip them.
The disadvantages:
1. Sometimes email does not make it to the user. DNS problems, anti-spam
software blocking, or email server blocking features. I'd say probably 5% of
users that appear to have legit email addresses end up with this problem.
2. Users create temporary email addresses just for signing up. If this info
is important to you, your site still can be fooled.
3. Users often mistype their email address. I often see back-to-back entries
with slightly different email addresses. At least that indicates the user is
trying to make things work.

--- Peter Blum
www.PeterBlum.com
Email: (e-mail address removed)
Creator of "Professional Validation And More" at
http://www.peterblum.com/vam/home.aspx

 

[Wm. Scott Miller]

Peter:

Could you provide a link directly to the download of the registration
example? I've poked around on your site and haven't found it.
Thanks!

Scott