Ive been asking around for some feedback on my website and one comment I received was the following
“I signed up with email@email.com and managed to active my account with http://www.mysite.co.uk/activateuser.php?email=email@email.com
You need checksums to stop it.”
Can anybody elaborate on this and how I can implement them into my activation?
In theory, If I was to create a row named “rand_key” in my DB and when a user registers a random key is stored in the column, could I then use this as the activation as opposed to the email? thus making it un guessable?
You need to create a unique user key, which shouldn’t be related to user data. Usually you could do something like hashing the output of a random generator function in order to make it unique and use that. Then you point them to the link:
http://www.mysite.co.uk/activateuser.php?userid=generated-unique-hashed-key
This unique user key should be added as an extra field to the table where you store your user info, or related to the user in some other way. By keeping the key unrelated to user data you make sure nobody can discover a user’s key and maliciously activate/do another action instead of your user.
Then you should test the user key on arrival for some conditions:
Also, there should be an expiration date associated with your user, upon which you just deactivate the user along with his key.