Email verifacation

Re: Email verifacation

When thinking about encryption always as yourself if you need to transmit
this info...

IMO those sites are not encrypting at all. They just create a unique
impossible to guess ID and this id is included in the mail... Server side
they know the address that is tagged with this unique id is valid...

Patrice

--

"Amir Ghezelbash" <amir-20@rogers.com> a écrit dans le message de
news:OVlI4VQbFH A.2884@tk2msftn gp13.phx.gbl...[color=blue]
>
> Hello every body I had a question
>
> I am involved in a project where I need to verify the user's email
> address by sending them an email and asking them to click on a link. now
> I have done this but my link is human readable(exampl e
> validator.aspx? address="blah@b lah.com") so any user can just type in
> their email address into that link and it will validate it for them...
> now what I want to do is to encrypt this email but most of the
> encryption methods that I have searched into end up giving me a very
> long strings but most professional websites that I have seen have done
> this but they use a very short encrypted string.. can somebody give me
> some hints on how to go about this...what is the best most professional
> method to use?
>
> btw i am coding this in asp.net 2.0 C#
> thank you in advance
>
> Awaiting your responds
>
>
> ---
> Best Regards
> Amir
>
> *** Sent via Developersdex http://www.developersdex.com ***[/color]

Re: Email verifacation


you mean a GUID ...if i do that ..then how would i know which email is
it that they are trying to validate ?

their account could have more then one email address!

i have to somehow include the email address inot the link

---
Best Regards
Amir

*** Sent via Developersdex http://www.developersdex.com ***

Re: Email verifacation

When the user submits their email address, and you store that address in a
table (perhaps CustomerEmail), also store the GUID in a column. Therefore,
you have a link between the GUID and a specific email address. Just be sure
to use a randomly generated id like a guid instead of sequentially generated
id, becuase it is more difficult to hack.

"Amir Ghezelbash" <amir-20@rogers.com> wrote in message
news:uarAChQbFH A.3400@tk2msftn gp13.phx.gbl...[color=blue]
>
> you mean a GUID ...if i do that ..then how would i know which email is
> it that they are trying to validate ?
>
> their account could have more then one email address!
>
> i have to somehow include the email address inot the link
>
> ---
> Best Regards
> Amir
>
> *** Sent via Developersdex http://www.developersdex.com ***[/color]

Re: Email verifacation


"bradley" <someone@micros oft.com> wrote in message
news:enSl7nQbFH A.2128@TK2MSFTN GP14.phx.gbl...[color=blue]
> When the user submits their email address, and you store that address in a
> table (perhaps CustomerEmail), also store the GUID in a column. Therefore,
> you have a link between the GUID and a specific email address. Just be
> sure
> to use a randomly generated id like a guid instead of sequentially
> generated
> id, becuase it is more difficult to hack.
>
> "Amir Ghezelbash" <amir-20@rogers.com> wrote in message
> news:uarAChQbFH A.3400@tk2msftn gp13.phx.gbl...[color=green]
>>
>> you mean a GUID ...if i do that ..then how would i know which email is
>> it that they are trying to validate ?
>>
>> their account could have more then one email address!
>>
>> i have to somehow include the email address inot the link
>>
>> ---
>> Best Regards
>> Amir
>>
>> *** Sent via Developersdex http://www.developersdex.com ***[/color]
>
>[/color]

As a sidenote, if you want small values instead of the long value GUID's
represent, you may want to look into Identity columns (incremented numeric
values).

Mythran

Re: Email verifacation

Yes such as a GUID but it doesn't have (and shouldn't be IMO) the profile
GUID (to avoid giving away an information that could be used some later day
maliciously).

I was thinking rather to something like a "job id".

The whole process would be :
- the user registers a new mail address (I suppose it goes in a child table
of its profile with its own unique id)
- register in the job table a new job with its unique id and the id of the
mail address to validate
- send the validation link

When the user clicks the link :
- retrieve the id of the mail to validate from the job table
- update the address record to mark the address as validated
- delete the record from the job table

If the user is allowed to change its mail, you may want also to do the same
process so that the updated address is validated (though it could be still
the same record id in the db).

Something along these lines...

Patrice

--

"Amir Ghezelbash" <amir-20@rogers.com> a écrit dans le message de
news:uarAChQbFH A.3400@tk2msftn gp13.phx.gbl...[color=blue]
>
> you mean a GUID ...if i do that ..then how would i know which email is
> it that they are trying to validate ?
>
> their account could have more then one email address!
>
> i have to somehow include the email address inot the link
>
> ---
> Best Regards
> Amir
>
> *** Sent via Developersdex http://www.developersdex.com ***[/color]

Re: Email verifacation

You are right that an identity column could be stored as a much smaller
integer value. However, the problem with identity values is that they are
sequntially generated and it would be easy for the user to alter the url to
point to another record.

For example, let's assume the following URL were emailed back to the user:
validator.aspx? confirmation=45 7

They could edit the ID like so before submitting the link, thus validating
another unrelated user or perhaps even gaining entry to another account.
validator.aspx? confirmation=45 5

"Mythran" <kip_potter@hot mail.comREMOVET RAIL> wrote in message
news:%23pXkhsQb FHA.3132@TK2MSF TNGP09.phx.gbl. ..[color=blue]
>
> "bradley" <someone@micros oft.com> wrote in message
> news:enSl7nQbFH A.2128@TK2MSFTN GP14.phx.gbl...[color=green]
> > When the user submits their email address, and you store that address in[/color][/color]
a[color=blue][color=green]
> > table (perhaps CustomerEmail), also store the GUID in a column.[/color][/color]
Therefore,[color=blue][color=green]
> > you have a link between the GUID and a specific email address. Just be
> > sure
> > to use a randomly generated id like a guid instead of sequentially
> > generated
> > id, becuase it is more difficult to hack.
> >
> > "Amir Ghezelbash" <amir-20@rogers.com> wrote in message
> > news:uarAChQbFH A.3400@tk2msftn gp13.phx.gbl...[color=darkred]
> >>
> >> you mean a GUID ...if i do that ..then how would i know which email is
> >> it that they are trying to validate ?
> >>
> >> their account could have more then one email address!
> >>
> >> i have to somehow include the email address inot the link
> >>
> >> ---
> >> Best Regards
> >> Amir
> >>
> >> *** Sent via Developersdex http://www.developersdex.com ***[/color]
> >
> >[/color]
>
> As a sidenote, if you want small values instead of the long value GUID's
> represent, you may want to look into Identity columns (incremented numeric
> values).
>
> Mythran
>[/color]

Re: Email verifacation

thanks alot guys...
i have decided to go with tripleDES encryption method to encrypt the
query string and save the key in the registry so only admin can have
access to it ?

any comments?


---
Best Regards
Amir

*** Sent via Developersdex http://www.developersdex.com ***

Re: Email verifacation

Just out of curiosity, reply back with some examples of your encrypted
query strings.

"Amir Ghezelbash" <amir-20@rogers.com> wrote in message
news:%237aaG%23 QbFHA.3048@TK2M SFTNGP12.phx.gb l...[color=blue]
> thanks alot guys...
> i have decided to go with tripleDES encryption method to encrypt the
> query string and save the key in the registry so only admin can have
> access to it ?
>
> any comments?
>
>
> ---
> Best Regards
> Amir
>
> *** Sent via Developersdex http://www.developersdex.com ***[/color]

Re: Email verifacation


here whats my link looks like

validator.aspx? Confirmation=
+Iwq+rx0pQJeRHr Gz+dnNf2T+iiG1G 4/1Bv1DDwxpbk=


---
Best Regards
Amir

*** Sent via Developersdex http://www.developersdex.com ***

Re: Email verifacation

Seems like you're going to want to be careful of having special
characters in that string. =, /, etc...they could confuse the URL
parser in the web server.

When I did the same thing, I used a GUID and stripped the dashes out to
be safe.

Re: Email verifacation


"Phillip Ian" <phlian@comcast .net> wrote in message
news:1118342370 .743439.112520@ o13g2000cwo.goo glegroups.com.. .[color=blue]
> Seems like you're going to want to be careful of having special
> characters in that string. =, /, etc...they could confuse the URL
> parser in the web server.
>
> When I did the same thing, I used a GUID and stripped the dashes out to
> be safe.
>[/color]

Aye, you should use the URLEncode method to encode special characters :)

HTH,
Mythran

Re: Email verifacation

The concern with querystrings it that the server can modify them from
underneath you since certain characters have special interpretations within
a URL. This can cause problems for algorithms like Base64-encoding

Here's some brief pseudo-code to save grief:

// encoding the string
string blah = "TEST";
Crypter crypt = new Crypter(); // not a real object -- implementation of
this is left to you
string encryptedBlah = Server.UrlEncod e(crypt.Encrypt (string));

// decoding the string
Crypter crypt = new Crypter();
string decryptedBlah =
crypt.Decrypt(S erver.UrlDecode (Request.QueryS tring["blah"]).Replace("
","+"));


"Phillip Ian" <phlian@comcast .net> wrote in message
news:1118342370 .743439.112520@ o13g2000cwo.goo glegroups.com.. .[color=blue]
> Seems like you're going to want to be careful of having special
> characters in that string. =, /, etc...they could confuse the URL
> parser in the web server.
>
> When I did the same thing, I used a GUID and stripped the dashes out to
> be safe.
>[/color]