Tuesday, November 15, 2011

The Complete Idiots Guide to Correctly Validating Your Customer's Email Addresses



Update August 2020:  


I have turned this blog post into a site of its own.  Please visit guide.mlz.me for a more updated version of this post.

_____________



Email address validation shouldn't be this hard.  Yet, obviously it's difficult enough for companies, webmasters and IT departments the world over to get it wrong almost without exception.

I'll try to spell it out very clearly.

First things first.

Beginner programming 101

Raise your right hand and repeat after me:

Me: "I will NEVER..."
You: "I will NEVER..."

Me: "...trust user input."
You: "...trust user input."

It may seem difficult to believe that someone could either not know or not remember their correct email address.  It happens often.  VERY often.

Validating email addresses during new account registration

Step 1

Collect the user's email address from a web form of some kind.  This web form will:

  • Be secured with https
  • Be comprised of two fields, forcing the user to type the email address twice.
  • Be able to perform at least a cursory validation, though the validation will not reject VALID email addresses, such as those with symbols like . or +.


Step 2

Since you don't trust the user to type their email address correctly, you will make the assumption that the email validation message will be sent to a user other than the intended recipient.

Because of this, your web form will additionally prompt the user for information only they know.  This can be:

  • A "security" question.
  • A validation code number (or any string) that you displayed to the user on their browser page after the user submitted their email address on the web form.
  • The user's chosen password, providing that you make certain that you never email the password to the user for any reason.  (Since you're NOT storing the password in plain text this is not possible anyway, right?)
  • Any piece of identifying information that is kept private.

This secret identifying information will never, under any circumstances, be emailed to the user, either before or after successful validation.

The email can contain a clickable link to get them back to finishing the validation process.  But first, again, raise your right hand and repeat after me:

Me: "I will NEVER..."
You: "I will NEVER..."

Me: "...send the user a simple clickable link in an email and assume that the clicking of the link establishes validity."
You: "...send the user a simple clickable link in an email and assume that the clicking of the link establishes validity."

Why does this not establish validity, you ask?

Because if you SEND THE DAMN LINK TO THE WRONG PERSON they can still click it!

Step 3

Send the address validation email message to the user.

Step 4

To finish the validation process, the user comes back to your site via the clickable link you provided in the email to the user in the previous step.  Now, you will prompt the user with a web form asking for the piece of secret identifying data from Step 2 that was never and could never be transferred via email.

If the values match, the user can now be considered validated.

Else, goto Step 5.

Step 5

If the email address validation fails because the user typed the piece of identifying data incorrectly, or for any other reason, indicate this to the user with an error message.

Step 6

If the user fails to provide the correct identifying information after N-number of attempts, the validation process will be aborted.  You will then delete the invalidated profile completely and point the user to the beginning of the account creation process again.  FULLY DELETE THE PROFILE INFORMATION.

You will NOT volunteer to email the user their secret identifying data.  Instead, you will FULLY DELETE THE PROFILE INFORMATION and force the user to start from scratch.  Suggest to the user that this time, they write down this identifying piece of information on a piece of paper.  This is somewhat acceptable (providing that the piece of identifying information is not the password) since it is only used to validate the email address this one time.

Failure to fully delete the profile information properly runs a high risk of data collision and personal information leakage.  If one John Smith attempts to sign up an account with jsmith@exampel.com, fails validation and re-registers with a corrected jsmith@example.com, then another John Smith attempts to register with jsmith@exampel.com, this new John Smith should NOT be able to see or otherwise collide with any information that may have been entered and associated with the first John Smith's account. 



Forgotten password procedures

Again, repeat after me:

Me: "I will NEVER..."
You: "I will NEVER..."

Me: "...store users' passwords in plain text for conveniently mailing the password to them."
You: "...store users' passwords in plain text for conveniently mailing the password to them."


Step 1

After the user has clicked the link to initiate the forgotten password procedure, you will prompt the user for their username, or, ideally, their email address.

However, if you are collecting email addresses from your forgotten password form, you WILL NOT display an error message indicating whether or not the email address was found in your records.  Simply indicate that, if found, the forgotten password procedure for the indicated email address will be initiated.  Optionally, indicate the email address from which the user can expect to receive the forgotten password procedure email so they can check their anti-spam measures as needed.

Step 2

Send the forgotten password initiation email message to the provided email address.

The amount of personal information contained in this email will be absolutely NONE.

Optionally, you can now include the helpful clickable link to take the user directly to your site.

Step 3

At this point, you can go back to Step 4 of the Validation process above.

No comments:

Post a Comment