•  01-07-2022
  •  | 
  •  

Pregunta

After the user finishes registration process, we need to send verification email to the user. I know how to send email but i need to know what is the process of sending a verification link, should i create a column in the table to save the verification token and send it encrypted. If we have to save the verification token what is the perfect way to generate this token. I do not try any solution.

¿Fue útil?

Solución 2

Yes, you should create a column in the table to save the verification token.

You can have activation code as "GUID"

A simple way of do the same is:

  1. Build your Query String by combining User-ID, verification token and Creation-date.

  2. Do encoding of the combined string

    "?user=" + Convert.ToBase64String(Encoding.Unicode.GetBytes(String.Format("user={0}&code={1}&cd={2}", User-ID, verification, Creation-date)));

  3. Send the link to the user

  4. When your user clicks on the link, decode the Query String

  5. Separate the combined values by spiting it using "&"

    Encoding.Unicode.GetString(Convert.FromBase64String(ActivationDetails)).Split(new Char[] { '&' });

You have all values required to activate the account. Also, you can add your logic and encryption methods. However, the base remains same.

Hope this helps.

Otros consejos

I would recommend generating a GUID when the user successfully registers, like this:

Guid theVerificationCode;
theVerificationCode = Guid.NewGuid();

Now store this GUID value in a database column, presumably in a User-like table.

Now when you are sending the email, you can provide this verification code value as part of a URL via the query string, like this:

string theVerificationCode = GetVerificationCodeFromDatabase();
string theEmailLink = "https://www.yoursite.com/YourApp/Verify.aspx?code=" + theVerificationCode;

Finally, you will need to build logic into the Verify.aspx page that will match what was passed in the query string matches what is in the database, if they match then you can allow the user to authenticate, if not then display an error message.

I would recommend having a field called something like "ActivationToken" and have a GUID generated. You can do this in SQL directly by calling the newid() function, or in C# by calling Guid.NewGuid(). This is a very unique/random value that is next to impossible to brute force.

So when the user registers, you would do something like:

insert into tblUsers (Username, Password, Active, ActivationToken) values ('johndoe', 'mypassword', 0, newid())

The link would be like: http://yoururl.com/Activate.aspx?token={yourActivationGuid}

Update tblUsers set Active=1 where ActivationToken={yourActivationGuid}

If your UserID is already a GUID, you could probably get away with just using that (such as if you're using aspnet_user tables). As for not allowing the login, just check if the Active flag is set to true. If not, disallow the login.

So to validate login you could do:

select * from tblUsers where Username="johndoe" and Password="mypassword" and Active=1
Licenciado bajo: CC-BY-SA con atribución
No afiliado a StackOverflow
scroll top