
时间:2022-10-19 22:14:19

I have a membership site in beta right now... At the moment, when a user registers, it marks the account as unverified and sends them an email with a link to verify their account.


The real reason for doing this is to make sure they entered their valid email address correctly.


So I was contemplating on removing the verification step to make it faster and easier to sign up. Just have it create an account that they can log into straight away.


The site uses PayPal for payment processing, so no sensitive data stored locally. It also only asks for a username, email address, and password when they register. So, really the most sensitive piece of info is the email address.


If I decide to do this, what sorts of problems could I be facing? Obviously, spam is one - but I'm developing ways to deal with that. Anything else?

如果我决定这样做,我可能面临哪些问题?显然,垃圾邮件就是其中之一 - 但我正在开发处理垃圾邮件的方法。还要别的吗?

Would you strongly recommend against this, and why? If it matters, I'm building it on the ASP.NET MVC platform.

你会强烈建议不要这样做,为什么?如果重要,我将在ASP.NET MVC平台上构建它。

Thanks in advance!


7 个解决方案


I'd say that the workflow of sign up, get e-mail, click on link in e-mail is now fairly ubiquitous and wouldn't put off the majority of users. I wouldn't go as far as saying that in general users expect this and would distrust a site that didn't do this, but it is getting that way.


It gives an added sense of security to users who now know that you're discouraging spammers in the first place rather than just dealing with them after the fact.


See also backslash17's answer about ensuring that the owner of the e-mail address is the one doing the signing up.



One of the problems of removing the address verification is that the user can be registered by anyone, and you are not going to have any validation method about not only the e-mail but the user's intention to be registered in your site.



Even if you find other ways to deal with spam, there is another important consideration.


If you let user's enter any old e-mail address, they could be entering someone else's email address. Any email you send to your users will become unsolicited spam to someone who is not a member of your site.


If you are ever going to make use of your customers' email addresses, you have some responsibility to making sure they are correct.



The idea behind verifying email addresses is to reduce the number of fake accounts being registered for spam. Most websites use this method already, so you certainly won't be out-of-step if you do it.


You could always make it an option and if you find that there are a lot of spam accounts being registered, you could re-enable the feature.


The other option would be to add reCAPTCHA as human verification rather than email verification.



It's certainly nice to know that the email address entered is valid. But, is it important for the core function of the site? Are you likely to need to contact the user again? If the email is only an ancillary attribute of the user, it's OK to have it "fudgeable". Another thing to consider - how often are people going to be visiting your site? If it's infrequently, and they've fudged the email address, offering a "forgot password" option becomes difficult :-)

知道输入的电子邮件地址是有效的,这当然很好。但是,它对网站的核心功能很重要吗?您是否可能需要再次联系该用户?如果电子邮件只是用户的辅助属性,则可以将其设置为“可虚拟”。另一件需要考虑的事情 - 人们多久会访问您的网站?如果不经常,并且他们捏造了电子邮件地址,提供“忘记密码”选项变得困难:-)

If you don't force verification, I'd suggest doing something like CodeProject. If you haven't verified your email address in a while, they put a nice yellow banner informing you that your email address might be out of date. It's unobtrusive and effective. I'd also suggest sending a "Welcome to widgets inc" email with an invitation to click on the link and verify the email addy. That way anybody who signs up as billyg@microsoft will be out of luck :-)

如果您不强制验证,我建议您执行类似CodeProject的操作。如果您有一段时间没有验证您的电子邮件地址,他们会放置一个漂亮的黄色横幅,通知您您的电子邮件地址可能已过期。它不引人注目且有效。我还建议发送一封“Welcome to widgets inc”电子邮件,邀请您点击该链接并验证电子邮件地址。这样任何注册billyg @ microsoft的人都会失败:-)

I was going to include a link to an awesome .net rocks show about email verification and bringing servers to their knees and spam and lots of good goodness, but I can't find it! I think it was Ayende or Oren or one of those smart guys. Anybody remember the episode?



I always suggest verifying e-mail addresses to reduce fake accounts/spam.


If you were to use Drupal they make this really easy. You can manually approve users if you'd like...plus it sends an e-mail to the address they've used to continue with the authorization process.


After seeing so many people try to spam message boards - I highly recommend verifying and using a CAPTCHA

看到这么多人试图垃圾邮件板 - 我强烈建议验证并使用验证码


Other than spam, the main issue I can see is if someone forgets their password AND happened to give an invalid e-mail address. If you can come up with another solution to this (and have the spam under control), then I don't see offhand any other drawbacks to the instant sign-up.



I'd say that the workflow of sign up, get e-mail, click on link in e-mail is now fairly ubiquitous and wouldn't put off the majority of users. I wouldn't go as far as saying that in general users expect this and would distrust a site that didn't do this, but it is getting that way.


It gives an added sense of security to users who now know that you're discouraging spammers in the first place rather than just dealing with them after the fact.


See also backslash17's answer about ensuring that the owner of the e-mail address is the one doing the signing up.



One of the problems of removing the address verification is that the user can be registered by anyone, and you are not going to have any validation method about not only the e-mail but the user's intention to be registered in your site.



Even if you find other ways to deal with spam, there is another important consideration.


If you let user's enter any old e-mail address, they could be entering someone else's email address. Any email you send to your users will become unsolicited spam to someone who is not a member of your site.


If you are ever going to make use of your customers' email addresses, you have some responsibility to making sure they are correct.



The idea behind verifying email addresses is to reduce the number of fake accounts being registered for spam. Most websites use this method already, so you certainly won't be out-of-step if you do it.


You could always make it an option and if you find that there are a lot of spam accounts being registered, you could re-enable the feature.


The other option would be to add reCAPTCHA as human verification rather than email verification.



It's certainly nice to know that the email address entered is valid. But, is it important for the core function of the site? Are you likely to need to contact the user again? If the email is only an ancillary attribute of the user, it's OK to have it "fudgeable". Another thing to consider - how often are people going to be visiting your site? If it's infrequently, and they've fudged the email address, offering a "forgot password" option becomes difficult :-)

知道输入的电子邮件地址是有效的,这当然很好。但是,它对网站的核心功能很重要吗?您是否可能需要再次联系该用户?如果电子邮件只是用户的辅助属性,则可以将其设置为“可虚拟”。另一件需要考虑的事情 - 人们多久会访问您的网站?如果不经常,并且他们捏造了电子邮件地址,提供“忘记密码”选项变得困难:-)

If you don't force verification, I'd suggest doing something like CodeProject. If you haven't verified your email address in a while, they put a nice yellow banner informing you that your email address might be out of date. It's unobtrusive and effective. I'd also suggest sending a "Welcome to widgets inc" email with an invitation to click on the link and verify the email addy. That way anybody who signs up as billyg@microsoft will be out of luck :-)

如果您不强制验证,我建议您执行类似CodeProject的操作。如果您有一段时间没有验证您的电子邮件地址,他们会放置一个漂亮的黄色横幅,通知您您的电子邮件地址可能已过期。它不引人注目且有效。我还建议发送一封“Welcome to widgets inc”电子邮件,邀请您点击该链接并验证电子邮件地址。这样任何注册billyg @ microsoft的人都会失败:-)

I was going to include a link to an awesome .net rocks show about email verification and bringing servers to their knees and spam and lots of good goodness, but I can't find it! I think it was Ayende or Oren or one of those smart guys. Anybody remember the episode?



I always suggest verifying e-mail addresses to reduce fake accounts/spam.


If you were to use Drupal they make this really easy. You can manually approve users if you'd like...plus it sends an e-mail to the address they've used to continue with the authorization process.


After seeing so many people try to spam message boards - I highly recommend verifying and using a CAPTCHA

看到这么多人试图垃圾邮件板 - 我强烈建议验证并使用验证码


Other than spam, the main issue I can see is if someone forgets their password AND happened to give an invalid e-mail address. If you can come up with another solution to this (and have the spam under control), then I don't see offhand any other drawbacks to the instant sign-up.
