[RESOLVED] Authentication via Email - How?

Sando

Hello,

Short version:

I'd like to set up a system for authenticating a user's email address by sending them a link to click on, following that, the data from them can be trusted. (much like the system used by these forums and countless other all over the net).

How do I set up a system that does that?

Long version:

I'm setting up a website for a May Ball* and this year, for the first time it will allow our guests to book their tickets online.

At the moment though, my current stumbling block is how to verify that a user is who he/she says they are.

Fortunately I have one thing on my side. You can only book a ticket if you're a member of the university, and hence have a university email account, which is only associated with one person, whose surname and initials can be found via a directory service, and should match those submitted.

The plan is that once you click "Submit", your booking goes into the database, but has a flag on it that means you haven't confirmed, this flag will only be removed once you've clicked on a link in the email you've been sent.

However, I'm not sure how to implement the custom link and authentication bit, any help would be much appreciated.

Thanks very much,

*black tie, 9pm -> 6am, copious food, drink, music entertainment, in a lavishly decorated setting, great fun. http://en.wikipedia.org/wiki/May_Ball

etully

First, have them create an account. They enter their email address and whatever other information you want to store about them. Write this to a table in a database but have a field called "verified" and set that value to "N" which means "No, Not yet". When you write this record to the table, pick a random 10 digit number. Maybe even 15 digits, maybe even 10 numbers + 10 random letters or whatever. Write that to their record to into a field called "verification_string". Display a message on screen that says, "Check your email, click the link to activate your account".

Then send an email to the user with this URL:

http://www.your_server.com/subdirectory/activation_script.php?x=$random_string

When they get the email, the URL will actually have the random string at the end of the URL

Now write a PHP script called activation_script.php that receives the value "x". All you have to do is write a SQL statement that says:

update users set verified='Y' where activation_string='$x'

This way, their account gets changed.

You can make it safer by embedding their email address or their unique userid in the URL too. Then your activation_script.php should look for all three (userid, email address, activation string). Then your update statement will say:

update users set verified='Y' where activation_string='$x' and email='$email' and id='$id'

Don't forget to check the values of $x, $email, and $id for malicious characters so that people can't screw up your database.

Now that their account has been changed to verified="Y", you can wait for them to try to register for tickets. When they try, check to see if verified="Y" before guaranteeing them tickets.

Once you learn the techniques in this suggestion, you will be able to alter it a little. For example, you might have two tables, one called users and another called pending_users and when they successfully activate their account, you can delete the record from pending_users and re-write it into the users table. This way, if someone tries to sign up for a hundred million user accounts, you won't have them polluting your real user table.

Sando

Thanks very much.

Sando