Geek Answers Handbook

A good idea to automatically register users from email?

For many sites that we develop, we check the user's email address. Usually the workflow is as follows:

  • User registers for the site (the activation address is sent with an activation link)
  • The user verifies the email address (by clicking on the link above)
  • The user must be logged in to use the site (if they are not already logged in)

Customers often complain that this process is awkward and somewhat confusing, and I agree. The proposed solution is to delete step 3 and automatically log into the user system after step 2.

I'm not sure if this matters (hence the question!), But I was always afraid of automatically logging in to the user system this way. What additional security risks should be considered before implementing the proposed solution?

This also applies in situations such as resetting a password, when a user can automatically log in and then make changes to their password.

For this question, let me assume that email verification is a tough requirement. I know that there are situations when this is not necessary, but tell us about those where they are.

+4
source share
6 answers

I would make sure that there is a limit on the duration of the link in the email and make it valid in just one click.

+4
source

It depends on your application. You would never do this if you were managing a bank site. You could do this if you used a site like Flickr, Facebook or other social sites.

Another thing you might want to consider is providing only limited availability. I know that Amazon does this on its sites. The user can view the site as if they are logged in, but only to the point. Before they can do everything related to the purchase and orders, they must provide their password.

Edit: Another problem that just occurred to me. Make sure you can invalidate the urls. Create tokens in your database that you insert into emails, and then you can undo those tokens. One way to do this is to put a counter in all of your user records, and then copy this counter value to the token table when creating emails. If you need to quickly cancel a large number of tokens, you can simply increase the counter in the user record. Then you can easily see that the token counter does not match the user counter, so you can reject the token.

+5
source

A system like this is as secure as the user's email.

Of course, email usually does not have encryption in flight and at rest. Email accounts are often accessible from workstations and mobile devices. Much email is never deleted.

As the likelihood of email compromise increases over time, time limits are a good idea.

However, you must assume that an attacker with sufficient motivation can see the email in transit. The attacker's motivation will depend on the application in question, so it is a good idea or not. depends.

+3
source

Least,

  • set a time limit on the duration of the link (1-2 days?)
  • make it work exactly once. Regardless of what happens after the first use, if it is used again, 404 is issued.
+1
source

I would automatically enter the user into the system if and only if in step 1 I clicked the checkbox "Remember me on this computer"

0
source

There is nothing wrong with using an email address as a user ID. He reports that the person making the registration has access to this email address at that particular time. But I think the link should expire, and if the link expires, release that email address from your database (as it could be someone emailing it).

Since the email is not secure and not very personal (there are many free temporary email sites on the Internet), you cannot use email in situations where trust is important. But for a simple website where you need some kind of accounts, I don't think this is a problem.

To your decision in paragraph 2, in my opinion, if you do not have step 2, you also do not need to worry about steps 1 and 3.

If you do not allow the user to verify the email address, you should not even ask for it. You would not have a clue that this is the real address corresponding to the one trying to make the account.

If you do not have an email address, the user cannot be given a new password, since you do not know where to send it. The email address you entered may belong to someone else who doesn’t even want to have an account on your site.

If you cannot reset your password via email (securely), you should not worry about logging in at all. Go to the site without an account.

It is assumed that you are not using callcenter or support services to verify accounts and, of course, reset the password reset.

-1
source

More articles:


All Articles