Geek Answers Handbook

How to check that the user clicked the link in the letter that I sent him?

This is a more focused question raised by a previous post. I need to authenticate the user's email address, proving that he has access to it. I copied below the general email authentication that you expect to see when you connect to the developer forum or user group. As part of the registration process, you must provide your email address, and then you will receive an email asking you to click on something to confirm your email address.

I need to encode everything that happens when a user clicks on a link in an email. So my question is: how do I do this?

What technologies are involved? Can someone walk me up the stairs? I prefer Java or Linux scripting language like bash. Even better, is there any software developed for this purpose that I can install on my Linux server and somehow integrate it into the conversation with my database? How is this done in practice? I do not want to invent something if it is already available.

To confirm your email address of: youremail@yourdomain.net please send a short reply to this address: us ers-sc.1496854427.ckdpbmhncdlkjadkajfpecc-mylist=yourdomain.net@ listdomain.com Usually, this happens when you just hit the "reply" button. If this does not work, simply copy the address and paste it into the "To:" field of a new message. or click here: mailto:us ers-sc.1496854427.ckdpbmhncdlkjadkajfpecc-mylist=yourdomain.net@ listdomain.com This confirmation serves two purposes. First, it verifies that I am able to get mail through to you. Second, it protects you in case someone forges a subscription request in your name. Some mail programs are broken and cannot handle long addresses. If you cannot reply to this request, instead send a message to < users-request@listdomain.com > and put the entire address listed above into the "Subject:" line.
+7
source share
3 answers

In your user database you need to have a table of intermediate users (or add a column in the table of primary users indicating whether the user is active, and the default indicator is "no"). When the user first logs in, you generate a unique hash code from part of the user's information, for example. Use md5 for the primary key and username (or some other set of user variables that you can get by decryption). Make this hash code the parameter of the query string in the link that you send to the user. Finally, when the user clicks on the link, gets the hash code from the query string, decrypts it, and matches the decrypted values ​​with the user string in your database. If a match is found, set the "active" indicator to true and presto. Alternatively, if you used a staging table, move the user record to the "active users" table that you use for authorization.

+5
source

The answer to a unique email to verify that someone has an inherent flaw can be faked (if you do not check the headers and ip). For example, I visit your site to register. You tell me to reply to us ers-sc.1496854427.ckdpbmhncdlkjadkajfpecc-mylist=yourdomain.net@ listdomain.com . I use the mail() function, using a spam bot to respond. Game over. The goal is defeated.

Instead, you can send me a link to check on my register identifier. Something like example.com/verify?userid=1&hash=67gk65fs6714fgsHguj

In the users table:

 id|username|status|onetimehash --+--------+------+------------------------- 1|testuser| 0 |67gk65fs6714fgsHguj

Now in your test call, check the user id and hash. If they match the values ​​in your db, you can safely check the user. To generate the hash, you can take the value md5 or sha1 of the username mixed with some salt timestamp or some random number.

UPDATE If you intend to use the previous solution, that is, capturing the user's response for checking email, you will have to configure your own mail server. Fetchmail can help you. You will need to programmatically read the email headers and extract the necessary information from the <to>,<from> or <subject> fields. Like userid = 1496854427 and hash = ckdpbmhncdlkjadkajfpecc. In this process, you may need a regular expression. Once you have these values, its pretty simple, check them for database values.

Bottom line: the previous method is not just tedious, but also more vulnerable than the last. Most webapps use the second solution as it is cleaner and wiser.

+3
source

I knew one link that best responded to BalusC
Here is the link: best answer .
I implemented this in my project. Hope this helps others.

+1
source

More articles:


All Articles