0

I have an email verification page and I want to make sure it was accessed through an email and it was my email and someone doesn't just have, guessed, or figured out the mechanics of the URL and cause some mischief.

I was looking into HTTP_REFERER, but I've heard it isn't a very secure way of checking as it can be spoofed easily?

I have other uses I want to use this for other than email verifications, but I wanted a more secure and trustworthy method. Are there better ways of verifying where the visitor is coming from?

  • Use some form of a token in the url to verify the emailaddress. Why does it need to be so secure? I mean the only thing that happens is that an emailaddress is validated right? – PeeHaa Sep 13 '12 at 01:46
  • an email is just an example. I just feel as though there will be times where I need to make sure the user is coming from the correct source. –  Sep 13 '12 at 01:48
  • "I need to make sure the user is coming from the correct source." You shouldn't have to worry about. The user has to login and if his/her credentials are correct it is a valid user whereever he/she is coming from. – PeeHaa Sep 13 '12 at 01:49
  • I suppose, I just like my PHP to be completely secure and there is no funny business going on on the side –  Sep 13 '12 at 01:50
  • 1
    Just generate some random string when users try to sign up and `sha1()` that and send it to the mailaddress given my user to verify the address.\ – PeeHaa Sep 13 '12 at 01:51
  • 1
    You should worry more about hashing the password (bcrypt), using prepared statements to access data, prevent XSS and CSRF than the emailaddress verfification process. – PeeHaa Sep 13 '12 at 01:52
  • Hassle your users enough for "completely secure and no funny business" security measures, and you won't have to worry about it for long. You won't have any users to worry about. – Jared Farrish Sep 13 '12 at 04:01
  • @JaredFarrish That sentence didn't make sense. I think the wording should be either "You won't have any bad users to worry about" or "You won't have any users left." –  Sep 13 '12 at 04:57

2 Answers2

0

An NONCE will help. Issue the client with an NONCE on the first page, and then the client needs to include the issued NONCE in their reply.

WordPress for example uses this approach.

nonce = number used once. Refer wikipedia article

PHP specific implementation, refer PHP manual

Sepster
  • 4,800
  • 20
  • 38
0

You cannot trust the HTTP header: it can be forged.

You cannot expect to receive a referer header: websites from HTTPS:// will not forward that information. To do so would be against of security expectations, and no, you cannot force it.

As Sepster posted, you can use a nonce. If you wish to use something other than PHP's oAuth, you could create a hash value of the email concatenated with 24+ bits of cryptographically secure psudo random numbers from a source such as /dev/urandom. If you don't have access to /dev/urandom on your POSIX operation system, you should not be attempting to write secure software. Secure software without a cryptographically secure PRNG is not secure software.

You could store that hash in your table and roll your own code to deal with attempted registrations with the nonce.

Incognito
  • 20,537
  • 15
  • 80
  • 120