I'm not a big fan of sending the password to the user - you've just sent, in the clear, the two keys to the account: e-mail address and password.
You can send the user an e-mail with some random number that will verify them (include as part of the URL). When the user with the correct password(if used)/username/random key logs in, that "activated" field goes to yes, as you've indicated. Note that this can be done with users who have set up a password or not. Logic is just to check for that extra field if the user's "active" flag is NO. (Also - use a bit field instead of "yes" or "no" - less overhead). Otherwise, a person can use the e-mail you send - with a URL param of either the e-mail address or an ID value and play with this to see what happens (If I get "http://www.site.com?id=7", I'm going to try "id=6" etc...). Once a user is authorized, it's best to set session variables once they hit the site (can also cookie it for longer "sessions"), and do your CFIF on this value. The way I usually do this is to set the session.user_id (or whatever) to zero if the user is not in session (so it's always there to evaluate), set to the user_id if the user is in session. >I'm building a site where I'm asking people to register (free) as members. >Since there's no credit card or money transaction, I still want to ensure >the member is using a valid email address, so I want to do what the likes of >Yahoo and others do - send an email to the user asking her to activate her >account. > >But what's going on in the background in these systems? Here's what I >think happens, but can anyone tell me if this is what is really happening, >or if there's a better way to verify their email address? > >[1] the user fills out the registration form on line >[2] on "submit", the data is entered in the user data table, with a bit >field, say "activated" set to NO. >[3] The user is sent an email asking to click on a link which takes them to >a validation page. >[4] The user is allocated an id number, perhaps the UserID, the primary key >of the User table which is added to the link on the email. >[5] when the user clicks on the link, the action page retrieves the user >from the data table based on the UserID (which was a field in the table) >[6] The action page sets the "activated" field to YES >[7] all restricted access pages have the test <cfif (user.activated)> to >permit access. > > >Is that what's happening there? >Is there a simpler way to do it? > > > >Cheers, >Michael Kear >Windsor, NSW, Australia >AFP Webworks. > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Message: http://www.houseoffusion.com/lists.cfm?link=i:4:137998 Archives: http://www.houseoffusion.com/lists.cfm?link=t:4 Subscription: http://www.houseoffusion.com/lists.cfm?link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. http://www.cfhosting.com