473,503 Members | 1,669 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Validate & Confirm E-Mail Address

Hello all:

I'd like some advice on the best way to validate and confirm an e-mail
address entered during a registration process. What we are thinking of is
something like the following:

1. User comes to our web site and validates themselves as a member of our
database.
2. User creates a user name and password to be used to log in to our site.
3. User is required to enter a valid e-mail address to finalize
registration.
4. Registration process is suspended until...
5. Server sends e-mail to supplied e-mail address with a link in it that
the user must click on to continue the registration process.
6. User clicks on link and is taken to a log-in page where they will enter
the information supplied in #2
7. Once they have successfully logged in (which also confirms either e-mail
address), they are fully registered and ready to go.

Reason we decided on the above is because of:

1. If e-mail were to be intercepted (either maliciously or by typo by
user), no one but the registering user could confirm e-mail because they
must login with link to confirm e-mail.
2. We need an e-mail in case the user forgets their password so it must be
active and valid for use.

Is there any security holes in the plan?

Additionally, has someone done something like this and have code and/or
suggestions from your experience?

Thanks for all the help,
Scott
Nov 19 '05 #1
3 4809
Hi Scott,

I use the same technique on my site (www.peterblum.com). Feel free to
download something from the site to try it out. (There are free ASP.NET
controls so you might actually get something you like.)

The advantages are clear. Your database knows when a user has not finished
registration. So other functions that use your registrations can skip them.
The disadvantages:
1. Sometimes email does not make it to the user. DNS problems, anti-spam
software blocking, or email server blocking features. I'd say probably 5% of
users that appear to have legit email addresses end up with this problem.
2. Users create temporary email addresses just for signing up. If this info
is important to you, your site still can be fooled.
3. Users often mistype their email address. I often see back-to-back entries
with slightly different email addresses. At least that indicates the user is
trying to make things work.

--- Peter Blum
www.PeterBlum.com
Email: PL****@PeterBlum.com
Creator of "Professional Validation And More" at
http://www.peterblum.com/vam/home.aspx

"Wm. Scott Miller" <Sc**********@spam.killer.wvinsurance.gov> wrote in
message news:u6**************@TK2MSFTNGP15.phx.gbl...
Hello all:

I'd like some advice on the best way to validate and confirm an e-mail
address entered during a registration process. What we are thinking of is
something like the following:

1. User comes to our web site and validates themselves as a member of our
database.
2. User creates a user name and password to be used to log in to our
site.
3. User is required to enter a valid e-mail address to finalize
registration.
4. Registration process is suspended until...
5. Server sends e-mail to supplied e-mail address with a link in it that
the user must click on to continue the registration process.
6. User clicks on link and is taken to a log-in page where they will
enter
the information supplied in #2
7. Once they have successfully logged in (which also confirms either
e-mail
address), they are fully registered and ready to go.

Reason we decided on the above is because of:

1. If e-mail were to be intercepted (either maliciously or by typo by
user), no one but the registering user could confirm e-mail because they
must login with link to confirm e-mail.
2. We need an e-mail in case the user forgets their password so it must
be
active and valid for use.

Is there any security holes in the plan?

Additionally, has someone done something like this and have code and/or
suggestions from your experience?

Thanks for all the help,
Scott

Nov 19 '05 #2
Peter:

Could you provide a link directly to the download of the registration
example? I've poked around on your site and haven't found it.
Thanks!

Scott

"Peter Blum" <PL****@Blum.info> wrote in message
news:eC**************@TK2MSFTNGP11.phx.gbl...
Hi Scott,

I use the same technique on my site (www.peterblum.com). Feel free to
download something from the site to try it out. (There are free ASP.NET
controls so you might actually get something you like.)

The advantages are clear. Your database knows when a user has not finished
registration. So other functions that use your registrations can skip them. The disadvantages:
1. Sometimes email does not make it to the user. DNS problems, anti-spam
software blocking, or email server blocking features. I'd say probably 5% of users that appear to have legit email addresses end up with this problem.
2. Users create temporary email addresses just for signing up. If this info is important to you, your site still can be fooled.
3. Users often mistype their email address. I often see back-to-back entries with slightly different email addresses. At least that indicates the user is trying to make things work.

--- Peter Blum
www.PeterBlum.com
Email: PL****@PeterBlum.com
Creator of "Professional Validation And More" at
http://www.peterblum.com/vam/home.aspx

"Wm. Scott Miller" <Sc**********@spam.killer.wvinsurance.gov> wrote in
message news:u6**************@TK2MSFTNGP15.phx.gbl...
Hello all:

I'd like some advice on the best way to validate and confirm an e-mail
address entered during a registration process. What we are thinking of is something like the following:

1. User comes to our web site and validates themselves as a member of our database.
2. User creates a user name and password to be used to log in to our
site.
3. User is required to enter a valid e-mail address to finalize
registration.
4. Registration process is suspended until...
5. Server sends e-mail to supplied e-mail address with a link in it that the user must click on to continue the registration process.
6. User clicks on link and is taken to a log-in page where they will
enter
the information supplied in #2
7. Once they have successfully logged in (which also confirms either
e-mail
address), they are fully registered and ready to go.

Reason we decided on the above is because of:

1. If e-mail were to be intercepted (either maliciously or by typo by
user), no one but the registering user could confirm e-mail because they
must login with link to confirm e-mail.
2. We need an e-mail in case the user forgets their password so it must
be
active and valid for use.

Is there any security holes in the plan?

Additionally, has someone done something like this and have code and/or
suggestions from your experience?

Thanks for all the help,
Scott


Nov 19 '05 #3
Sure. This will let you download the free "Color Selector Controls" web
controls.

http://www.peterblum.com/DownloadNow.aspx?ProductId=3

Throughout my site, where you see "Download Now" buttons (at the bottom of
product pages) or Try It (at the top and bottom), you have access to this
system.

--- Peter Blum
www.PeterBlum.com
Email: PL****@PeterBlum.com
Creator of "Professional Validation And More" at
http://www.peterblum.com/vam/home.aspx

"Wm. Scott Miller" <Sc**********@spam.killer.wvinsurance.gov> wrote in
message news:up**************@TK2MSFTNGP14.phx.gbl...
Peter:

Could you provide a link directly to the download of the registration
example? I've poked around on your site and haven't found it.
Thanks!

Scott

"Peter Blum" <PL****@Blum.info> wrote in message
news:eC**************@TK2MSFTNGP11.phx.gbl...
Hi Scott,

I use the same technique on my site (www.peterblum.com). Feel free to
download something from the site to try it out. (There are free ASP.NET
controls so you might actually get something you like.)

The advantages are clear. Your database knows when a user has not
finished
registration. So other functions that use your registrations can skip

them.
The disadvantages:
1. Sometimes email does not make it to the user. DNS problems, anti-spam
software blocking, or email server blocking features. I'd say probably 5%

of
users that appear to have legit email addresses end up with this problem.
2. Users create temporary email addresses just for signing up. If this

info
is important to you, your site still can be fooled.
3. Users often mistype their email address. I often see back-to-back

entries
with slightly different email addresses. At least that indicates the user

is
trying to make things work.

--- Peter Blum
www.PeterBlum.com
Email: PL****@PeterBlum.com
Creator of "Professional Validation And More" at
http://www.peterblum.com/vam/home.aspx

"Wm. Scott Miller" <Sc**********@spam.killer.wvinsurance.gov> wrote in
message news:u6**************@TK2MSFTNGP15.phx.gbl...
> Hello all:
>
> I'd like some advice on the best way to validate and confirm an e-mail
> address entered during a registration process. What we are thinking of is > something like the following:
>
> 1. User comes to our web site and validates themselves as a member of our > database.
> 2. User creates a user name and password to be used to log in to our
> site.
> 3. User is required to enter a valid e-mail address to finalize
> registration.
> 4. Registration process is suspended until...
> 5. Server sends e-mail to supplied e-mail address with a link in it that > the user must click on to continue the registration process.
> 6. User clicks on link and is taken to a log-in page where they will
> enter
> the information supplied in #2
> 7. Once they have successfully logged in (which also confirms either
> e-mail
> address), they are fully registered and ready to go.
>
> Reason we decided on the above is because of:
>
> 1. If e-mail were to be intercepted (either maliciously or by typo by
> user), no one but the registering user could confirm e-mail because
> they
> must login with link to confirm e-mail.
> 2. We need an e-mail in case the user forgets their password so it
> must
> be
> active and valid for use.
>
> Is there any security holes in the plan?
>
> Additionally, has someone done something like this and have code and/or
> suggestions from your experience?
>
> Thanks for all the help,
> Scott
>
>



Nov 19 '05 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
5
3053
ASP creating & writing to text file error
by: Tracy | last post by:
I am using ASP to write a text file and then email it. The data also goes into a sql table (this works fine). The error is a runtime error and says that the path cannot be found. Any help would...
ASP / Active Server Pages
6
2148
for loop for unknown number of fields to validate
by: Abby Lee | last post by:
I must confirm the user enters a value for each fund they need. I do not know how many fund entries there will be...it's expandable to handle each users needs. I must varify each fund they enter is...
Javascript
2
3273
confirm window with (Y) & (N) ????
by: Terry | last post by:
anyone know how to pop up a confirm window with (Y) & (N)?? I want to pop up a "Do you want to continue?" message box (javascript only, can't use vbscript) with (Y) & (N). when click (N), then...
Javascript
13
2330
can't get simple confirm() to work
by: LRW | last post by:
Having a problem getting a onSubmit function to work, to where it popsup a confirmation depending on which radiobutton is selected. Here's what I have: function checkdel() { if...
Javascript
2
2259
JS alert & confirm in Windows Scripts
by: Little Pete | last post by:
I use a simple .js script to shuffle files on my computer to which I'd like to add alert and confirmation boxes. Unfortunately I haven't been able to figure out what object I need to create that...
Javascript
3
2827
confirm update popup?
by: Doug O'Leary | last post by:
Hey, all; Apparently, I'm missing the concept. I'm writing a web app in perl to manage nagios configuration files. One of the things I'd like to do is to confirm an update via a popup window...
Javascript
1
356
XmlTextReader problem with &amp; in element text
by: Nathan Alden | last post by:
I have an XSD defined as the following: <?xml version="1.0" encoding="UTF-8"?> <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified"...
.NET Framework
14
5907
Problems with "&amp;" changing to "&"
by: Arne | last post by:
A lot of Firefox users I know, says they have problems with validation where the ampersand sign has to be written as &amp; to be valid. I don't have Firefox my self and don't wont to install it only...
HTML / CSS
1
3193
Button & TextBox Custom Control
by: rn5a | last post by:
I want to create a custom control that encapsulates a Button & a TextBox. When the Button is clicked, the user is asked a question using JavaScript confirm (which shows 2 buttons - 'OK' &...
ASP.NET
5
2325
JS: What does this code need to validate & submit (not 1 or the other)
by: holy moly | last post by:
Hello, I have been trying to get this JS form validation code to work ad nauseam... it won't validate, stop if required and submit. The best I managed was to get it to display an empty...
Javascript
0
7199
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General
0
7074
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
7273
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
1
6982
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
Windows Server
0
7451
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
General
1
5000
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new...
Microsoft Access / VBA
0
4667
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and...
C# / C Sharp
0
3150
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET
1
731
muto222
How to add payments to a PHP MySQL app.
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
PHP

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us