Making a registration system with Asp.Net and Linq-to-SQL (part 2)

Verifiying your users' email and activating thier accounts

In part 1 of this tutorial, we ended by emailing the user a verification link. In this part, we will us that to verify the user and activate their account.


The markup is very basic, as almost all of your stuff will be done in the backend:

<asp:Panel ID="Report" runat="server" />

Handle your input

This is where all the heavy lifting is done.Your user has a link which passes the verification guid in the querysting, so our verification page must parse the querystring.There are a few things we will be doing here:
  • Make sure there is a querystring
  • Make sure the Guid is in Guid format
  • Confirm the user from the DB based on Guid

Which is all reletively simple:

if (string.IsNullOrEmpty(Request.QueryString["guid"]))
  throw new Exception("invalid inputs", new Exception("please navigate here from the provided link"));

SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["demoConnectionString"].ConnectionString);
  dbDataContext db = new dbDataContext();
  string guid = Request.QueryString["guid"];
  Guid g = new Guid(guid);
  user u = Users.GetFromGuid(db, g);
  if (u.confirmed)
    Report.Success("account already confirmed", "apparently it was fun enough to do twice...");
    u.confirmed = true;
    Report.Success("account confirmed", "put some link here for the user to continue");
catch (Exception ex)
  if (ex.Message.Contains("no elements"))
    ex = new Exception("confirmation number not found");   Report.Error(ex);
finally { con.Close(); }

public static user GetFromGuid(dbDataContext db, Guid guid)
{ return db.users.Single(u => u.guid_ == guid); }

Ok, now what was done there? First, we simply test to see if a proper querystrirng was passed, if not, it throws an error which is handled with my.Error() extension.Then it goes on to make a SqlConnection, which might seems strange as it is not necessary, *but* since we are possibly making two calls to the DB: getting the user and confirming the user (if necessary) - opening the connection will make sure it only opens once as opposed to twice if we weren't to open it; it is unnecessary, but it is ever-so-slightly more efficient.After that it goes to get the user object from the DB by the GUID, if it is found, it is then confirmed.If there are eny errors or it is not found, it is handled.

Now, since nothing is emailed or anything like that, we can assume (maybe not totally safely) that the user who confirms is the one who got the email. I suppose there could be a brute force GUID bombing of the site, but that would be incredibly inefficient, not to mention pointless as it would only activate accounts and not provide the hacker with anything.

And that is it. You now have a fully working registration system that requires email confirmation and it wasn't even that tough. Here is the code:

« Part 1» Part 2
Comments are closed