A draft version : Register / Login / Forgot Password / Remember Me / Social Login
February 28, 2019
  1. Register :
    1. Sign up form with email(or username) and password fields (along with other info)
    2. Save data in database table (~users)
    3. Set a table column (as flag ~status) to 0 (=unverified email)
    4. Set random hash, and store in another column (~email_verification_hash)
    5. #suggestion – Store an expiry timestamp (~1 hour/1 day etc) for the link
    6. Send email with verification link (consisting of the hash above)
    7. Click on email link to verify
    8. Find hash sent from email link (via GET) and check with the DB stored hash (if using link expiry timestamp, then compare with that as well). If link found to be valid then update flag (~status) to 1 (=verified email).
    9. Redirect to a “Thank you” page
    10. Link to login page and automatically redirect to login page(~ 5 seconds)
    11. #Suggestion – Login immediately after successful link verification
  2. Login :
    1. Submit form with email(or username) + password
    2. Check for email in DB + status (verified)
    3. If record found, then hash the password, and compare with stored value of password
    4. Create a session variable based on a unique identifier (encoded ID of the record, or some other parameter that makes sense)
    5. Send user to HTTP REFERRER (if exists and belongs to the hosting domain) or a pre defined home/profile page
  3. Forgot Password :
    1. Sign up / Login > Forgot password form > Enter email
    2. Send hashed link in email (same column can be used as the one used for account verification, as that would not be used anytime after the initial verification)
    3. Clicking on the email link takes user to a page asking to enter new password and confirm password
    4. After successful hash-check and password checks, store new hash for the new password
    5. Show “Thank you” page and automatically redirect to login page
    6. #Suggestion – Login immediately after successful password change
  4. Remember me :
    1. If checked, then save a hash in DB, and store the same hash in browser cookie
    2. In the event of session getting expired, the cookie hash is checked for validity. If the cookie hash is found to match with DB stored hash, then login the user with matching hash
    3. In case of explicit logout, remove the browser cookie, and clear the hash from DB table as well
  5. Social Login :
    1. Get user details from social network (FB / Twitter / Google+ / etc) – via oAuth or any other protocol
    2. Check for the combination of “Type”(Social network) + User ID (shared by the network) in DB – emails are usually not provided by social networks, hence the non-reliance on the email provided by the network
    3. Check if ID is in the system already
      1. If it is, then check if the user is active
        1. If user is active, then login as the user found with the same ID
        2. If not active(or any other status), then take the user back to the login page, with appropriate message
    4. If no, then Check if Social-email is blank or not
      1. If it is NOT blank, check if Social-email is in the system already
      2. If it is, then check if the user is active
      3. If user is active, then login as the user found with the same Social-email
      4. If not active(or any other status), then take the user back to the login page, with appropriate message
      5. If no, then create a new user in the system with ID and Social-email(if not blank) received from the social network
      6. If it is blank, then create a new user in the system with ID and without any email
Database
architecture
draft
forgot password
login
register
remember me
token
1 day after
ChakkPunjabi quotes
Mar 1, 2019
7 hours before
On love :(:):
Feb 28, 2019
2026