I'm looking to send a user a link if they forget their password.
I have it that they enter their email address and an email is sent to them with a link to reset their password - although I want this link to expire in two days.
Looking at a password reset email I got sent from an online store, I was looking to keep it generally the same format, but I'm unclear how the the expiry part of the URL is created.
The example URL I got sent is:
http://www.mydomain.com/reset.aspx?expires=1317124368&passwordreset=1&username=thegunner%40yahoo.com&authCode=dfb83e3074d395a7606bdc1825d709197fa984ab
passwordreset=1 ...ok no prob
username = email address ...no prob
authcode ...I guess I could just generate GUID code.
expires=1317124368 ...how could this part be created? I guess it's a time stamp in some format of the day the email was sent - how could I recreate this?
Any ideas?
The expires in that URL may very well be the id of the record in the table that actually holds the date and time when the link expires.
You could do the same: send the link via email and store in a table the link, the date and time when it expires plus an identity column (autogenerated), and possibly some other information (email, etc).
When the person clicks on your link, you use that ID to get the expiration date and time to determine whether the person is allowed to use the same link or not.
Or... that number may represent a date and time measured in milliseconds, ticks, nanoseconds,etc, counting from a specific date and time.
Related
I'm wondering whether WebAuthN APIs can be used to identify an individual. Do any of the following hold
Can the authenticator ever return info about the individual e.g. First name, email etc
Will the authenticator always give us the same ID back for Alice when she uses this device regardless of which website I'm requesting from?
Will different devices ever give back the same ID for the same user?
Can the authenticator ever return info about the individual e.g. First name, email etc
It can if you set personally-identifying information to the value of user.id in the options you pass to navigator.credentials.create(). Also referred to as the "user handle", the spec includes a section specifically about how this value is one way the API can leak personally-identifying information if you're not careful what value you set user.id to.
Will the authenticator always give us the same ID back for Alice when she uses this device regardless of which website I'm requesting from?
The authenticator will not give back the same ID on every website. Every successful invocation of navigator.credentials.create() generates a unique credential bound to the website, meaning every website would have to use the same value for Alice's internal user ID for this to even have a chance of happening. And for any given website the authenticator only gives back the value of user.id (as passed into navigator.credentials.create()) as userHandle in the response from navigator.credentials.get() when Alice logs into that site.
Will different devices ever give back the same ID for the same user?
Different registered authenticators would give back the same ID for Alice provided you specify the same value for user.id whenever Alice registers an authenticator.
I am trying to track the number of email opens of a mailing.
This mailing is not personalised, so each receiver will get exactly the same email contents.
So far I have found out that I can add a tracking pixel in the mailing, which will send data to GA that a user opened the mail (images were loaded).
Example code:
<img src=”http://www.google-analytics.com/collect?v=1&tid=UA-XXXXXX-X
&cid=EmailOpenTest&t=event&ec=email&ea=open&el=EmailOpenTest
&cs=newsletter&cm=email&cn=Email&cm1=1″ />
'tid' will be our custom tracking ID.
This all works, as when this link is opened the total number of hits increases.
But my question relates to parameter 'cid'. For testing purposes, I have set this here to "EmailOpenTest". But this should be a random/unique ID per user actually. But as the mailing is not personalised, I wonder if it would be possible to track individual users?
Does this mean I have to include javascript in the mail? Would that even work in all email clients? Or are there other options?
All suggestions are welcome.
Assumption: you are using a mail client like Mail Chimp
Assign a unique id to every email on the email list. lets say this unique id is uid
Create a custom dimension in GA, lets name it as Client Mail Id with index say 1
Create the same pixel just like you have created above in the OP.
Add a custom Dimension in the hit as
http://www.google-analytics.com/collect?v=1&tid=UA-XXXXXX-X
&cid=EmailOpenTest&t=event&ec=email&ea=open&el=EmailOpenTest
&cs=newsletter&cm=email&cn=Email&cm1=1&cd1=uid
In place of uid, you actually need to pass the mail list unique id for that email
How it will work
Once the user sends this hit, your unique id will be recorded in custom dimension 1.
Generate a custom report in GA with event category=email & event action=open and add a dimension custom dimension 1.
All the id's displayed there have actually opened the email ;)
PS: It's tried and tested, so won't cause any issue. Also if you don't want to use custom dimensions, you can also send this id in event label or event value
PPS: In any mail client, getting unique value for that email is pretty easy. You can actiually use its position number or add another column for the unique id, then grab that id win the template
The cid is the clientId, an identifier that is used to aggregate pageviews into sessions, and sessions into unique users.
The way to use that in email-tracking would be to capture the client id when a user subscribes to your newsletter and then insert it into the email links. Since your mails are not personalized this will not work.
If you use a random ID you will not be able to link the request from the mail to an existing user. So one way to deal with the problem would be to ignore it - using a constant userId would still give you an event count (the unique events metric might be a little of if users click the link multiple times within a session lifetime).
If for some reason you absolutely need to track these as different users you can set up a redirect - do not send data to ga directly from your mail, instead call a script on your server that inserts a random clientId and then sends the data to Google.
I have many quotes on the website and I want user to be able to vote, Like or Unlike each quote. The problem is that if I save the voted info in a cookie, there is a 4kb limit and if there is a visitor which votes on 100 quotes it may exceed the cookie limit.
What is the best method to store the vote information for non logged users?
The votes are also stored in database, but without any user information saved. Only logged users have saved info for each vote.
You can save votes on a table with columns:
quoteid,
userguid (guid)
And set a cookie on nonregistered users browser with an assigned GUID
when a user visit your site check the user GUID or assign him a new one. This way you can block votes.
You can use HTML5 Local Storage.
I would assign the non-logged in user a random ID and store this ID in the cookie.
The Id can then be used to reference data in your database.
I want to know that when user registering how to check the email id is exists or not.
In order to validate an email you can use 2 things
Send yourself an email and check the answer back (this can take up to 24 hours as email servers sometimes don't send the answer back right away) and read the response headers back from the email server
You can signup for a commercial service that does this for you.
BUT
We never, ever, do this ...
We simply send the user an email with a confirmation link and block his/her account until they confirm it.
for example:
The user bruno creates an account in your website with the email abc#domain.com.
After you create the user in your User table you also have a bit (boolean) column names is_confirmed that you say 0
DECLARE #guid uniqueidentifier
SET #guid = NEWID();
INSERT INTO [TblUsers]
( 'email', 'username', 'is_confirmed', 'create_date', 'unique_id' )
VALUES
( 'abc#domain.com', 'bruno', 0, GETDATE(), #guid );
SELECT #guid;
then you send a nice Welcome email with the id you got form the insert procedure
http://yourdomain.com/confirm/?<%= userGuid %>
you simple send a Welcome message asking the user to confirm within that link, open confirm, welcome him and ask to provide a password.
That's how we see if the email is a real one or not!
If you want to know whether they have entered a genuine, real email address that they use, then the only way is to send them something then have them confirm it back to you.
If you just want to check the format is valid, then Google (or Bing if that is your preference) for email address verification regular expression.
I have a forgot password page in which i need to ask from the user his user id to provide him his password from the database and it is working but what to do if anyone enters any wrong user id.
Be aware that there's a certain measure of risk in this. If you always respond with a message saying that the User ID is incorrect, then that can be used to guess User IDs in your system. An attacker can brute-force this form with variations of common names and end up with a sizable list of your users. For any given account, that gives them half of the information needed to login as that user.
I would recommend that you display a message saying that an email has been sent to the email address for that account with instructions to reset the password (which includes a time-sensitive key required for the reset), regardless if the User ID was found in the system or not. If they don't get the email, they can always try again (assuming the first attempt included a typo in the User ID). If they don't actually know their User ID, there can be another form to recover that by entering their email address (behaves in a similar manner to this form, always showing success on the form and just sending the email where applicable).
You have to perform following 3 steps to ensure tight security.
1) Based on the userid fetch the user information from database. If the information is null then send an error to the user, saying invalid UserId.
2) a) If you have registration of EmailId at the time of user creation, then send the password to the registered mail.
b) If you don't have registration of EmailId then ask and match the security question selected at the time of user registration.
3) If possible try to combine the a) & b) points of point 2) for more enhanced security.
You must do SELECT to check if that records exists and proceed if so.
Simply return a message stating they have entered an incorrect user id.
If you're asking what do you do if they give you the valid ID of another user entirely, then I'm assuming you're doing something quite unsafe with the password you're recovering (you aren't just showing them the password are you?) - most systems like this will email you the password, at least affording the security that only the associated email account will ever be given the password.
SELECT * FROM users WHERE username = inputhere
if (mysql_num_rows($result) > 0)
{
// found it
}
else
{
// doesn't exist
}
Is that what you were looking for?