I am building a user registration workflow for my JavaScript/PHP website. Once the user registers, they are added into a database (with an inactive status). The user will then receive an email confirmation, which requires them to click on a confirmation link.
Currently, the confirmation link will redirect the user to the site log-in page with the confirmation code as URL parameter. On document ready, the JavaScript will pull the confirmation code from the URL and submit it to the PHP back-end. If the code is valid, then the user status is upgraded to active in the database.
From a security standpoint, is it better for the confirmation link to navigate directly to the PHP, and then the PHP can redirect the user back to the website? What is the best practice?
Advertisement
Answer
I don’t think it matters all that much how you do it, as long as you are still validating the security code. You can do that with just PHP, if you really wanted to.
Send the user to e.g. /verify.php?key=123456, and on your page:
if (isset($_GET['key']))
{
$key = $_GET['key'];
// TODO: Perform validation on $key
// TODO: Do whatever you are already doing to list the user's email as valid.
}