Sending email verification link to activate profile c#

Question

I'm currently building a website where people can register and they can have their own pages of content. I have created a custom login page not using the Create user wizard provided on the Microsoft Visual studio 2010. I have a SQL Database at the back end with

tblUsers

where users register will be saved. I have my email smtp settings configured and capable of sending emails using the registering persons email. I have tested this and it works.

The Problems

(1) I'm confused as to how I can generate the activation link to be attached to be sent with the email.

(2) How can i program the code to update a field in the SQL table related to the user

e.g: User verified = true

when the user clicks the link sent through the email.

(3) How can I block the user from being able to log in to the site without going through the verification process? (I am aware this can easily be done by changing few things on the Create User wizard, however I created my registration customarily therefore it runs on a register button click event) Therefore I can't seem to get my head around on how to do it.

Please try to help me out if possible will greatly appreciate it.

Answer 1

I would recommend having a field called something like "ActivationToken" and have a GUID generated. You can do this in SQL directly by calling the newid() function, or in C# by calling Guid.NewGuid(). This is a very unique/random value that is next to impossible to brute force.

So when the user registers, you would do something like:

insert into tblUsers (Username, Password, Active, ActivationToken) values ('johndoe', 'mypassword', 0, newid())

The link would be like: http://yoururl.com/Activate.aspx?token={yourActivationGuid}

Update tblUsers set Active=1 where ActivationToken={yourActivationGuid}

If your UserID is already a GUID, you could probably get away with just using that (such as if you're using aspnet_user tables). As for not allowing the login, just check if the Active flag is set to true. If not, disallow the login.

So to validate login you could do:

select * from tblUsers where Username="johndoe" and Password="mypassword" and Active=1

Answer 2

Create the user login page. Once a submit is clicked, generate a new guid() like stated above, and send the email to the user with the activation guid (unique) and once the user clicks, activate the user in the database (SQL).