3

I am developing an ASP.Net application that will need to verify that the user is legit and not a spam. Once the new user enters their first name, last name, email address, my application will send an email to verify the user's authenticity. The email would conatin a link that would confirm the users account.

I am looking help on what the logic is behind the email link. Once the user clicks the link, what happens?

I have had a website that has used Captcha, and not had much luck stopping spam (I know you can't stop 100% spam) similar to this Stopping spammers from creating accounts (reCaptcha not doing the trick)

Community
  • 1
  • 1
user279521
  • 4,779
  • 21
  • 78
  • 109

2 Answers2

2

As Rook has pointed out below, the simplest way is to use Captcha.

If you need to verify the email as well though, see below.

You could generate an approval GUID and pass it to the email URL which would mark the User as Active.

For example, add a column called ApprovalID to the users table and generate a new GUID when the user registers, i.e.

You should mark the user as inactive at this stage.

Example Guid 3F2504E0-4F89-11D3-9A0C-0305E82C3301

Then pass the User Id and GUID in the email body

<a href="http://www.mysite.com/verify.aspx?UserId=TheUserId&ApprovalId=3F2504E0-4F89-11D3-9A0C-0305E82C3301">Verify your account</a>

Then a simple page verify.aspx

Code Behind

string UserId = Request[UserId].ToString(); // You can parse these as Guids
string ApprovalId = Request[ApprovalId].ToString();

TODO:
// Get user from database
// Match QueryString ApprovalId to Column ApprovalId
// Ask user to Log In
// Set user as active
Marko
  • 71,361
  • 28
  • 124
  • 158
  • I wouldn't expose database ids for user table on querystring. – Claudio Redi Oct 03 '10 at 01:18
  • @Claudio Redi SO exposes user id's... it is the most common way web apps work. – rook Oct 03 '10 at 01:19
  • I wouldn't expose it in that way if I can avoid it, in this case there are other approaches (I could use the GUID to identify a pending activate request). Feeling that I'm giving to the outside world more information than necessary. – Claudio Redi Oct 03 '10 at 01:22
  • Usernames are exposed **ALL OVER** the web, along with Ids, Guids.. are you saying none are secure? – Marko Oct 03 '10 at 01:25
  • @Marko Ivanovski: sorry, I didn't mean that. Just saying that in this case in particular I could achieve the same without passing the user id on the querystring so I think that as less information related to your backed you expose, the better, just that :) – Claudio Redi Oct 03 '10 at 01:35
  • No probs, I'm interested to see what your solution is (apart from Captcha) :) – Marko Oct 03 '10 at 01:44
  • @Marko Ivanovski: GUID = Globally unique identifier. "The primary purpose of the GUID is to have a totally unique number. Ideally, a GUID will never be generated twice by any computer or group of computers in existence". Just saying that the GUID is enough to identify the pending activate request. This is my last word about this, didn't mean to offend man :) – Claudio Redi Oct 03 '10 at 01:50
  • I built a system that stored the guid then the link clicked in the email contained both the guid AND the email as parama passed back to the page. Both were checked for confirmation. If anyone tried to manipulate the guid they'd have to also somehow guess the appropriate email address to have any kind of affect. – Don Mar 05 '12 at 09:03
0

Sending a confirmation link doesn't do anything to stop spam. Emailing someone a link with a Cryptographic Nonce just insures that they can receive email, bots can also receive email.

The best way stop spam is by using capthca, and I recocmend using reCapthca. You should prompt the user with a capthca when a user signs up for your service.

rook
  • 66,304
  • 38
  • 162
  • 239
  • Just out of curiosity, has anyone cracked reCaptcha yet? – Marko Oct 03 '10 at 01:25
  • Nevermind I found this SO question http://stackoverflow.com/questions/448963/has-recaptcha-been-cracked-hacked-ocrd-defeated-broken – Marko Oct 03 '10 at 01:31