2

Suppose my site needs to register for a member account with email, and the email needs to be verified and activated. I forbid users to register with same email twice. When it does, should I remind the user to activate the email? Or just display the message 'This email has been used',same as trying to register with already activated email?

ocomfd
  • 525
  • 1
  • 4
  • 7

3 Answers3

2

You should never reveal on the website, whether a specific e-mail address has been used to register. This allows a user enumeration attack and may likely be a privacy issue for your users.

Instead, in your case, send an informational e-mail to the address in question.

Marcel
  • 3,494
  • 1
  • 18
  • 35
  • "send an informational e-mail to the address in question" might allow to spam emails and get your website SMTP to be blacklisted – Xenos Jun 19 '18 at 15:15
  • @Xenos Since the e-email is already registered, I would not consider this e-mail as spam. And an offending entity would like to send their message anyways, not a generic text. – Marcel Jun 19 '18 at 21:40
  • 1
    IMO, offending entity can be willing to make your website SMTP be blacklisted, and one way would be to make it send emails in loop to users. So I would still add a check to not send a "account locked" email twice per a day to the same email address, and I would eventually monitor the number of send emails per hour too. – Xenos Jun 20 '18 at 08:12
1

The user may have failed to click the activation link in the first email for a reason. Maybe the email didn't reach him. Maybe it got stuck in a spam filter. Maybe it was accidentally deleted. If a user requests a new activation email, it is probably because they want a new activation email. So give them one.

However, you should not have two activation tokens active for the same email at the same time. Before sending the new email, deactivate all old activation tokens for that email.

Also, as Marcel points out, depending on your users privacy needs you may want to think about user enumeration attacks here.

Anders
  • 64,406
  • 24
  • 178
  • 215
0

There's a possibility that someone has tried to register using someone else's email address. In such case all the other information possibly including the username is incorrect.

I'd remove the former unactivated account during this process, or automatically if it hasn't been activated within reasonable time. If the database doesn't require unique email addresses, I'd remove former extra accounts at least when another account finally gets activated.

Esa Jokinen
  • 16,100
  • 5
  • 50
  • 55