Tuesday 20 October 2020

Web applications, registration and confirmation

If we want to be able to manage sessions for people who have logged in successfully, we need a way to register those users.
We want to make sure people do use a name (email address) that is already taken and we need to verify that the mail address is valid.
This all means that we will not register them right away but store their email address and password along with a confirmation key in a temporary table. We then send them this key to their email address in the form of a clickable link. If this link is clicked within an acceptable time (like 15 minutes or so) their registration is made permanent and they are redirected to the login page.

The preliminary workflow looks like this

Note that we do not have a separate process that looks for expired requests but that we deal with those during the request or verification event itself. The idea being that registration and verification are relatively rare events and running a separate process the remove expired requests would just waste cpu resources.
The picture isn't complete yet because we also need to create a workflow for resetting passwords that people have forgotten.
On top of that we also need to implement some rate limiting because now it is pretty easy to swamp a mailer by flooding the server with registration requests.

No comments:

Post a Comment