[Catalyst] email confirmation widget?

Ian Docherty catalyst at iandocherty.com
Thu Oct 11 10:09:40 GMT 2007 

Dave Rolsky wrote:
> On Wed, 10 Oct 2007, Dustin Suchter wrote:
>
>> Has anyone put together a nice email-validation-link-generator
>> widget for Catalyst (or Perl, for that matter)? All I can find on
>> CPAN is something that is part of Jifty (whatever that is).
>>
>> http://search.cpan.org/~jesse/Jifty-0.70824/plugins/Login/lib/Jifty/Plugin/Login/Action/ConfirmEmail.pm 
>>
>>
>> In a perfect world this widget would be really simple:
>>
>> -generates long random codes for use in confirm links
>> -stores those links server-side in temp files instead of a DB to
>> prevent DDoS on a db
>
> Huh? You can't prevent a DDoS by storing stuff on the filesystem and 
> not in a DBMS. And the distributed part isn't the issue, it's just the 
> DoS part one would worry about. Presumably filling up the file system 
> will also cause a DoS, but so would signing up for an account in the 
> app of choice and submitting too much content.
>
> More importantly, some people will _need_ to store it in the DBMS 
> because they have multiple web servers and don't want to enable NFS 
> just to store it in the file system ;)
>
> If this sort of plugin were useful, the storage should probably be 
> pluggable, just like with Sessions. I'm not convinced that this sort 
> of thing can be made generic enough to be a useful plugin, but that's 
> a different issue.
>
>
> -dave
>
I don't have code for this any more, but it is possible to do this
without storing anything either in the DB or the filesystem so it would
prevent any DoS.

The principle is this.

Create a text string containing the user-id and the date, e.g.
'666-20001011' then append a 'secret' code to it only known by the
server giving you a string like '666-20001011-ThiSW1llNev3rBQuessed'.

You now apply your favorite one-way hash function to this string, for
example MD5 or SHA1.

You now include in your email the link to the site with the string
''666-20001011-<SHAD1orMD5string goes here>'

When you receive the code you can tell (from the date) if it has expired
and the user-id and you can verify the hash value by re-applying the
server secret code to these values by re-creating the string.

This gives you email validation, with timeout, without having to store
anything serverside.

Regards
Ian

More information about the Catalyst mailing list