|
|
Posted by Peter Fox on 11/03/05 17:18
Following on from Angelos's message. . .
>Hello...
>I wrote a simple subscribe script that when a user completes the
>subscription form he gets added in the database and then he receives an
>e-mail where he/she clicks on the follow link :
(1) As you know it is the *wrong thing* to use the user id. No problem,
as others have suggested you use a 'random' key.
(2) You could use a hash (with salt!) or a random number and search your
table for the key when you get the response.
(3) BUT there is a problem with hashing on ID and that is that the hash
remains constant over time. So let's suppose somebody subscribes, you
don't like their posts and 'suspend their account' all they have to do
is re-submit. (OK you could put in /some/ protective logic.)
(4) AND there are missed opportunities. For example "We have sent this
email 'cos you appear to have asked to subscribe... Click HERE to
confirm or HERE if this is incorrect" OK so your URL could be
....?id=1234&confirm=Y and .....&confirm=N. Now this encourages
experimentation and one day you'll get papa using mama's id to
'unsubscribe the bitch!'.
So here is (roughly) what I do: Set up a table with a 'random' key, the
command line string that would otherwise have been used, an expiry date
and a group id. Entries are removed when either they expire, or they
are used or one of the other entries in the group is used (so multiple
choices are one choice actioned only). Page logic goes 1-look up action
using big 'random' number on command line 2-If not found take
appropriate actions 3-If found return array of parameters and remove
this action and any in the same group 4-Continue processing according to
action.
This also means you have a single URL for email clicks which then farms
actions out to other scripts. All your security processing can be put in
one place. If the action is 'say look at our terms and conditions' then
there may be no need for a login but for 'look at my details' there
would be.
Basically this is a scheme for lending out keys to your site not giving
them away.
--
PETER FOX Not the same since the borehole business dried up
peterfox@eminent.demon.co.uk.not.this.bit.no.html
2 Tees Close, Witham, Essex.
Gravity beer in Essex <http://www.eminent.demon.co.uk>
Navigation:
[Reply to this message]
|