On my site, a user enters his email when creating an account. After submitting the form, a new user row is created in db with the respective email. This row has inactive flag set to True. Next, an activation email is sent to the entered email address so that the user can activate his account and login afterwards using the email and password. There is unique constraint on email in db for login to work correctly.
The problem is that someone can use an email of another person, blocking that other person from ever registering on my site. There already is an (inactive) account with the email that the legit user tries to enter so new user row can't be created. I am not sure how to tackle this problem exactly. It probably has a good solution because the registration scheme I use is pretty standard.
From my view point, I have a solution like that:
When user register with the email. I will generate an unique key (may be user-id) that will attach into the link activate in the email content. When user click to activate account we will get that unique key to update to confirm from user. That solution will help you disable an user following user id instead of disable following the email which can be duplicate.
Hope this help.
U cannot find the person's mail id who misused other's mail id so its not possible to an extent.
You could delete the database entry with the email after some time, if the activation link has not been clicked. Depending on your operating system, you could use cron or systemd timers (Linux) or scheduled tasks (Windows) for that.
For example to execute a MySQL query from cron this question might be helpful.
Related
I'm working on my first MERN fullstack project (an e-commerce demo). I have almost finished the authentication part, but I am having doubts about how to manage the users who have the same registration email both through custom sign-in and google login on the MongoDB database.
While doing various researches, I noticed that one of the methods used is the following:
1- If the email of the user who logs in via google login is already saved in the database as the same user had already registered via traditional sign-up, a new user will not be created in the database, but with both methods of signing -in we will point to the same user already saved with that email.
2- If there are no users saved in the database with that email (as the user logged in for the first time with google login and did not first register traditionally), once the user logged in with google login, it will be saved to the database for the first time.
However, this method presents problems with regard to the second type of users mentioned above.
In fact, if we merge the accounts with the same email on the database, if the user logs in for the first time with google, no password will be saved on the database. Therefore, if the same user decides in the future to log in in the traditional way, he will not be able to do so because he will not be able to fill in the password field.
How to solve this problem?
Usually sites with the "first Google login immediately creates an account" have 2 solutions to this problem:
As part of the "immediately create an account", they directly ask the user to choose a password.
Alternatively, their "Change password" section allows creating a password should there be none yet. Therefore the account is indeed passworld-less at the beginning, but the user can opt to add a password.
For the 2nd solution, there's the small problem that if the user loses access to their Google account and didn't set a password, they're locked out. Rare case which might not be worth looking out for. And perhaps your Customer Service can still help them out.
Usually when you create an account to some webpage they send you an email with a link in order for you to validate your account.
If you click that link then you account is validated and thats the end of it.
How does this work?
Is that url unique for every new user so they know who visited what?
This is not a web service related question, however I can conceptually guide your through what you need to do.
When a user registers their information will probably be captured into some user table in a database somewhere. This user is marked as pending. The system can then generate a unique id i.e. a GUID which is stored next to the user entry in the database. This GUID if properly constructed will be impossible to guess. This GUID is then added as a GET parameter to the URL that you in an email to the user.
For example you might have the URL:
http://example.com/activateuser?confirmuid=5e706449-2cbf-4938-8109-fb564c196d8f
Thus every user will use the same URL with different confirmuid parameter. This URL will then post the confirmuid to the page where you can then use this value to look up the user in the database and then active the user or move it from a pending state to an active state.
Simple right.
When users in an MVC application with Google/Facebook/Twitter authentication, register for the first time, they go to the ExternalLoginConfirmation.cshtml page. There they are asked for their username, but are only allowed to fill in an email address, according to the ExternalLoginConfirmationViewModel model.
Is it set to email for a reason? In code it's creating a new applicationuser to store the user, but it's using just-entered-email for both username & email.
Can I go horribly wrong when I allow users to enter username of their choosing, and store email address as I got it from Google/Facebook/Twitter, etc?
I think the MVC5 registration flow is flawed by default, and needs to be reworked.
by trusting the default provider's emails (set email is auto confirmed from Google+, Yahoo, MS, and Facebook).
don't let the user enter an email+username, as he can register ANY email he enters in the box, straight to the AppUsers table.
MVC5 needs to create a User if not done so already at the ExternalLoginConfirmation method.
the default login password would be set to something blank, with links to reset it if needed (or totally disabled).
This would allow the users to register on any massively trusted providers automatically, it would link accounts together as long as their email is the same, and allow to unlink accounts once again.
The way MVC5 is setup right now is half-baked and broken, for no apparent reason.
I want to set up 3 things for my user authentication system running on Passport / Neo4J:
1) Manual user account activation (so that admin does it);
2) Invite-only account creation;
3) E-mail confirmation of account before activation;
I was wondering if you knew of any easy-to-use Passport plugins for it (I haven't found any myself, but also want your recommendations) and also – what would be the best way to implement it (maybe you've already done / seen it, so you could share the code?)
Thank you!
Disclosure: I have never worked with Neo4j, so I am unaware of the specifics but I would accomplish this in the following way:
You can write up some simple queries that insert a users information(ex. username, password, email etc.) to your database upon registration. Then, send the user an email using something like nodemailer in which it states that he has been registered and is awaiting confirmation.
Among the user information that you have stored you should have a column where you store the account status(verified or not verified). You can then write up a small webpage for retrieving all the accounts from your database where verified=false, and confirm the ones that you want by setting verified to true, after which the user would receive an email the user telling him that he can now use your service.
As for invite-only registration, I would have a special table with "registration codes" that would be generated and inserted into that table when a user invites someone. The one who was invited would then receive a link with the code, and upon clicking it the server would check if the code exists in the database, and if it does would allow the user to create an account.
I realize that this is a broad answer, but there are many ways to accomplish what you're looking for!
Someone was having a go at it with Drawbridge, but the build is failing...https://www.npmjs.org/package/drawbridge
I'm Looking for the same thing.
I'm developing a web app and currently I'm trying to decide whether or not to let my users to change their email.
If an account gets compromised the attacker only needs to change email and then reset password to gain complete control of the user account. However with no ability to change email address, the user can regain control and simply reset password to stop further rogue access to their account.
What do you think?
It is my opinion that user should be able to change all details associated with their person, including their e-mail address.
Minimum security measure should be: Ask the user to enter their password!:
E-mail changes should be handled with the same care as password changes:
Asking for their password would prevent somebody from changing the e-mail address for an already logged-in user; after changing the e-mail address, it is usually trivially easy to get a valid password for the account, effectively taking over the account completely.
E-mail confirmation scheme:
Added security measures can come in various ways, usually consisting of some sore of e-mail confirmation.
The difficulty with e-mail confirmation is that a common reason for users to change their current e-mail address is because they can no longer access it (changed jobs, changed providers, etc, etc).
A common scheme of e-mail change confirmation is the following:
Send an e-mail to the new address with an "confirm e-mail change" link (make sure it is a working e-mail address).
Uppon receiving the confirmation from the new address
Change the e-mail address.
Send an e-mail to the old e-mail address with the option to "Revoke e-mail change" link (this option should be valid for 30 days or so).
Extended security with e-mail confirmation:
For some high-risk accounts, you could only allow 'limited access' to the account for as long as the 'revocation period' is still active (the above mentioned 30 days or so).
In addition to the "Revoke e-mail change" link, you can provide a "Confirm e-mail change" link in the e-mail send to the old address. Clicking the link would make the change of address permanent, ending the revocation- and 'limited access' period immediately.
UPDATE
There seems to be some confusion about what is compromised if somebody is 'Logged in'.
There are quite some options for a fraudulent person to gain access to a logged-in account without knowing the password.
Consider for example the option where somebody simply walks away from the keyboard, or, has chosen to use some sort of 'remember me' functionality (either provided by the browser or by the website itself)
While this is bad, a well designed system would/should limit the damage by not allowing any account-damaging actions to happen without asking for the user's password again.
The prime example for this is:
Ask the user for his/her current password if they want to change it.
Send a confirmation email to the original email address requiring some confirmation action before making the change.
Retain the old e-mail address for a while, and allow it to be used to reset the password.
Only let authenticated (logged in) users change their email address. If the account is compromised then they already have complete control over it. Changing email address in this case should be the least of your worries! :)