I'm working on a registration process for an internal application. My initial design is below.
My main question is whether it's really necessary to include a registration_confirmation_code. Does it protect the app from a realistic threat or just add unnecessary complexity? I'm not sure about that.
User enters email address. Since this is an internal app, it has to be an agency address.
If it's a valid agency address, app creates a new row in the users table.
The table has a column registration_confirmed which is false by default. App won't let a user log in unless registration_confirmed is true.
The table has a column registration_confirmation_code which is a randomly-generated string.
App sends an email to the address the user entered. It contains a link to a page that will let the user confirm their registration and set their username and password.
The link has the user's id and registration_confirmation_code in the query string:
http://agencydomain.com/users?id=123®istration_confirmation_code=fab49dk34nw97d
By clicking on the link the user verifies that the address they entered is valid and that they have access to it.
The app finds the user by ID. Before allowing them to visit the page where they can set their username and password, the app checks that...
registration_confirmed is false. They should only be able to confirm their registration once.
registration_confirmation_code request param matches the value in the DB for that user. That ensures this is a legitimate registration confirmation by the intended user and not someone else hitting the URL with random IDs trying to hijack a registration.
If everything checks out, the app takes them to a page with a form for setting their username and password.
When they submit the form with valid data, app sets registration_confirmed to true and they are registered.
Fraud prevention and data protection This means you can easily check when an entry was altered, who deleted a category and if any exports have been produced. You can also easily mitigate the risk of voter abuse (i.e. one unknown user voting thousands of times).
New User Registration is a framework that enables a user to sign in to the Campus Solutions system in order to complete a specific online self-service transaction.
Don't trust people even if they are internal to your organization. It sounds bad but unless you're dealing with a very small group, your method is a wise choice.
One more thing, you may want to ensure their email is unique.
Another approach is using a centralized authentication and skipping the whole registration process.
On first login attempt, create a user profile from a template.
Authentication can be done a number of ways. Ideally, something like LDAP (or Active Directory if that's how you swing). It's also possible to use the mail server for authentication, depending on how it is configured.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With