I usually post about Security on Twitter - you can follow me there:
Building a full-fledged, production ready registration for your web application is oh so much more than just putting together a simple registration page.
There are a lot of questions that need to be answered:
- How do I verify the email addresses of new users?
- How do I properly and safely store user credentials?
- What if a user forgets their password?
- What about users changing their own password?
- How strong should passwords be? How can I enforce some sensible defaults in the app so that my users have good, strong passwords?
- What if I have more than one type of user? I need a good way to store roles and privileges.
- What about security questions? Should I even have them?
- How do I do all of this with good localization support? There are a lot of messages involved.
>> The Registration Process
Starting at the top – this is how to set up a basic Registration process for your web app. Doesn’t have to many bells and whistles, but it’s clean and functional to begin with.
>> Registration – Activate a New Account by Email
Now we want to make sure that users verify their emails before being able to just log into the app.
>> Resend the Verification Email
If a user signs up and doesn’t verify their email for a while – their verifications expires at some point. This is how they request a new verification link.
>> Registration – Password Encoding
The age old question – how to store passwords? Simple answer? You don’t!
>> Reset Your Password
Users are forgetful creatures – so they’ll forget their passwords sooner rather than later. You should have a good way for your users to reset their passwords if they need to.