I have a membership site in beta right now... At the moment, when a user registers, it marks the account as unverified and sends them an email with a link to verify their account.
我现在有一个测试版会员网站...目前,当用户注册时,它会将该帐户标记为未经验证,并向他们发送一封电子邮件,其中包含用于验证其帐户的链接。
The real reason for doing this is to make sure they entered their valid email address correctly.
这样做的真正原因是确保他们正确输入了有效的电子邮件地址。
So I was contemplating on removing the verification step to make it faster and easier to sign up. Just have it create an account that they can log into straight away.
因此,我正在考虑删除验证步骤,以便更快,更轻松地进行注册。只需让它创建一个他们可以立即登录的帐户。
The site uses PayPal for payment processing, so no sensitive data stored locally. It also only asks for a username, email address, and password when they register. So, really the most sensitive piece of info is the email address.
该网站使用PayPal进行支付处理,因此本地不存储敏感数据。它还只在注册时要求输入用户名,电子邮件地址和密码。所以,真正最敏感的信息是电子邮件地址。
If I decide to do this, what sorts of problems could I be facing? Obviously, spam is one - but I'm developing ways to deal with that. Anything else?
如果我决定这样做,我可能面临哪些问题?显然,垃圾邮件就是其中之一 - 但我正在开发处理垃圾邮件的方法。还要别的吗?
Would you strongly recommend against this, and why? If it matters, I'm building it on the ASP.NET MVC platform.
你会强烈建议不要这样做,为什么?如果重要,我将在ASP.NET MVC平台上构建它。
Thanks in advance!
提前致谢!
7 个解决方案
#1
I'd say that the workflow of sign up, get e-mail, click on link in e-mail is now fairly ubiquitous and wouldn't put off the majority of users. I wouldn't go as far as saying that in general users expect this and would distrust a site that didn't do this, but it is getting that way.
我要说的是,注册,获取电子邮件,点击电子邮件中的链接的工作流程现在相当普遍,不会让大多数用户失望。我不会说,一般用户期望这样,并且会不信任一个没有这样做的网站,但它正在这样做。
It gives an added sense of security to users who now know that you're discouraging spammers in the first place rather than just dealing with them after the fact.
它为用户提供了额外的安全感,他们现在知道你首先要阻止垃圾邮件发送者,而不是仅仅在事后处理它们。
See also backslash17's answer about ensuring that the owner of the e-mail address is the one doing the signing up.
另请参阅backslash17关于确保电子邮件地址的所有者是进行注册的人的答案。
#2
One of the problems of removing the address verification is that the user can be registered by anyone, and you are not going to have any validation method about not only the e-mail but the user's intention to be registered in your site.
删除地址验证的一个问题是用户可以由任何人注册,并且您不会有任何验证方法,不仅仅是电子邮件,还有用户在您的站点中注册的意图。
#3
Even if you find other ways to deal with spam, there is another important consideration.
即使您找到其他方法来处理垃圾邮件,还有另一个重要的考虑因素。
If you let user's enter any old e-mail address, they could be entering someone else's email address. Any email you send to your users will become unsolicited spam to someone who is not a member of your site.
如果您让用户输入任何旧的电子邮件地址,他们可能会输入其他人的电子邮件地址。您发送给用户的任何电子邮件都将成为非您网站成员的未经请求的垃圾邮件。
If you are ever going to make use of your customers' email addresses, you have some responsibility to making sure they are correct.
如果您打算使用客户的电子邮件地址,您有责任确保它们是正确的。
#4
The idea behind verifying email addresses is to reduce the number of fake accounts being registered for spam. Most websites use this method already, so you certainly won't be out-of-step if you do it.
验证电子邮件地址背后的想法是减少为垃圾邮件注册的虚假帐户的数量。大多数网站已经使用过这种方法,所以如果你这样做,你肯定不会失步。
You could always make it an option and if you find that there are a lot of spam accounts being registered, you could re-enable the feature.
您可以随时选择它,如果您发现有很多垃圾邮件帐户被注册,您可以重新启用该功能。
The other option would be to add reCAPTCHA as human verification rather than email verification.
另一种选择是将reCAPTCHA添加为人工验证而不是电子邮件验证。
#5
It's certainly nice to know that the email address entered is valid. But, is it important for the core function of the site? Are you likely to need to contact the user again? If the email is only an ancillary attribute of the user, it's OK to have it "fudgeable". Another thing to consider - how often are people going to be visiting your site? If it's infrequently, and they've fudged the email address, offering a "forgot password" option becomes difficult :-)
知道输入的电子邮件地址是有效的,这当然很好。但是,它对网站的核心功能很重要吗?您是否可能需要再次联系该用户?如果电子邮件只是用户的辅助属性,则可以将其设置为“可虚拟”。另一件需要考虑的事情 - 人们多久会访问您的网站?如果不经常,并且他们捏造了电子邮件地址,提供“忘记密码”选项变得困难:-)
If you don't force verification, I'd suggest doing something like CodeProject. If you haven't verified your email address in a while, they put a nice yellow banner informing you that your email address might be out of date. It's unobtrusive and effective. I'd also suggest sending a "Welcome to widgets inc" email with an invitation to click on the link and verify the email addy. That way anybody who signs up as billyg@microsoft will be out of luck :-)
如果您不强制验证,我建议您执行类似CodeProject的操作。如果您有一段时间没有验证您的电子邮件地址,他们会放置一个漂亮的黄色横幅,通知您您的电子邮件地址可能已过期。它不引人注目且有效。我还建议发送一封“Welcome to widgets inc”电子邮件,邀请您点击该链接并验证电子邮件地址。这样任何注册billyg @ microsoft的人都会失败:-)
I was going to include a link to an awesome .net rocks show about email verification and bringing servers to their knees and spam and lots of good goodness, but I can't find it! I think it was Ayende or Oren or one of those smart guys. Anybody remember the episode?
我将要包含一个链接到一个非常棒的.net摇滚节目关于电子邮件验证和服务器跪下和垃圾邮件和很多好的,但我找不到它!我认为是Ayende或Oren或其中一个聪明人。有人还记得那集吗?
#6
I always suggest verifying e-mail addresses to reduce fake accounts/spam.
我总是建议验证电子邮件地址以减少虚假帐户/垃圾邮件。
If you were to use Drupal they make this really easy. You can manually approve users if you'd like...plus it sends an e-mail to the address they've used to continue with the authorization process.
如果你使用Drupal,他们会很容易。如果您愿意,可以手动批准用户...此外,它还会向他们用于继续授权过程的地址发送电子邮件。
After seeing so many people try to spam message boards - I highly recommend verifying and using a CAPTCHA
看到这么多人试图垃圾邮件板 - 我强烈建议验证并使用验证码
#7
Other than spam, the main issue I can see is if someone forgets their password AND happened to give an invalid e-mail address. If you can come up with another solution to this (and have the spam under control), then I don't see offhand any other drawbacks to the instant sign-up.
除了垃圾邮件之外,我能看到的主要问题是,如果有人忘记密码并且碰巧提供了无效的电子邮件地址。如果您能够提出另一个解决方案(并控制垃圾邮件),那么我不会立即看到即时注册的任何其他缺点。
#1
I'd say that the workflow of sign up, get e-mail, click on link in e-mail is now fairly ubiquitous and wouldn't put off the majority of users. I wouldn't go as far as saying that in general users expect this and would distrust a site that didn't do this, but it is getting that way.
我要说的是,注册,获取电子邮件,点击电子邮件中的链接的工作流程现在相当普遍,不会让大多数用户失望。我不会说,一般用户期望这样,并且会不信任一个没有这样做的网站,但它正在这样做。
It gives an added sense of security to users who now know that you're discouraging spammers in the first place rather than just dealing with them after the fact.
它为用户提供了额外的安全感,他们现在知道你首先要阻止垃圾邮件发送者,而不是仅仅在事后处理它们。
See also backslash17's answer about ensuring that the owner of the e-mail address is the one doing the signing up.
另请参阅backslash17关于确保电子邮件地址的所有者是进行注册的人的答案。
#2
One of the problems of removing the address verification is that the user can be registered by anyone, and you are not going to have any validation method about not only the e-mail but the user's intention to be registered in your site.
删除地址验证的一个问题是用户可以由任何人注册,并且您不会有任何验证方法,不仅仅是电子邮件,还有用户在您的站点中注册的意图。
#3
Even if you find other ways to deal with spam, there is another important consideration.
即使您找到其他方法来处理垃圾邮件,还有另一个重要的考虑因素。
If you let user's enter any old e-mail address, they could be entering someone else's email address. Any email you send to your users will become unsolicited spam to someone who is not a member of your site.
如果您让用户输入任何旧的电子邮件地址,他们可能会输入其他人的电子邮件地址。您发送给用户的任何电子邮件都将成为非您网站成员的未经请求的垃圾邮件。
If you are ever going to make use of your customers' email addresses, you have some responsibility to making sure they are correct.
如果您打算使用客户的电子邮件地址,您有责任确保它们是正确的。
#4
The idea behind verifying email addresses is to reduce the number of fake accounts being registered for spam. Most websites use this method already, so you certainly won't be out-of-step if you do it.
验证电子邮件地址背后的想法是减少为垃圾邮件注册的虚假帐户的数量。大多数网站已经使用过这种方法,所以如果你这样做,你肯定不会失步。
You could always make it an option and if you find that there are a lot of spam accounts being registered, you could re-enable the feature.
您可以随时选择它,如果您发现有很多垃圾邮件帐户被注册,您可以重新启用该功能。
The other option would be to add reCAPTCHA as human verification rather than email verification.
另一种选择是将reCAPTCHA添加为人工验证而不是电子邮件验证。
#5
It's certainly nice to know that the email address entered is valid. But, is it important for the core function of the site? Are you likely to need to contact the user again? If the email is only an ancillary attribute of the user, it's OK to have it "fudgeable". Another thing to consider - how often are people going to be visiting your site? If it's infrequently, and they've fudged the email address, offering a "forgot password" option becomes difficult :-)
知道输入的电子邮件地址是有效的,这当然很好。但是,它对网站的核心功能很重要吗?您是否可能需要再次联系该用户?如果电子邮件只是用户的辅助属性,则可以将其设置为“可虚拟”。另一件需要考虑的事情 - 人们多久会访问您的网站?如果不经常,并且他们捏造了电子邮件地址,提供“忘记密码”选项变得困难:-)
If you don't force verification, I'd suggest doing something like CodeProject. If you haven't verified your email address in a while, they put a nice yellow banner informing you that your email address might be out of date. It's unobtrusive and effective. I'd also suggest sending a "Welcome to widgets inc" email with an invitation to click on the link and verify the email addy. That way anybody who signs up as billyg@microsoft will be out of luck :-)
如果您不强制验证,我建议您执行类似CodeProject的操作。如果您有一段时间没有验证您的电子邮件地址,他们会放置一个漂亮的黄色横幅,通知您您的电子邮件地址可能已过期。它不引人注目且有效。我还建议发送一封“Welcome to widgets inc”电子邮件,邀请您点击该链接并验证电子邮件地址。这样任何注册billyg @ microsoft的人都会失败:-)
I was going to include a link to an awesome .net rocks show about email verification and bringing servers to their knees and spam and lots of good goodness, but I can't find it! I think it was Ayende or Oren or one of those smart guys. Anybody remember the episode?
我将要包含一个链接到一个非常棒的.net摇滚节目关于电子邮件验证和服务器跪下和垃圾邮件和很多好的,但我找不到它!我认为是Ayende或Oren或其中一个聪明人。有人还记得那集吗?
#6
I always suggest verifying e-mail addresses to reduce fake accounts/spam.
我总是建议验证电子邮件地址以减少虚假帐户/垃圾邮件。
If you were to use Drupal they make this really easy. You can manually approve users if you'd like...plus it sends an e-mail to the address they've used to continue with the authorization process.
如果你使用Drupal,他们会很容易。如果您愿意,可以手动批准用户...此外,它还会向他们用于继续授权过程的地址发送电子邮件。
After seeing so many people try to spam message boards - I highly recommend verifying and using a CAPTCHA
看到这么多人试图垃圾邮件板 - 我强烈建议验证并使用验证码
#7
Other than spam, the main issue I can see is if someone forgets their password AND happened to give an invalid e-mail address. If you can come up with another solution to this (and have the spam under control), then I don't see offhand any other drawbacks to the instant sign-up.
除了垃圾邮件之外,我能看到的主要问题是,如果有人忘记密码并且碰巧提供了无效的电子邮件地址。如果您能够提出另一个解决方案(并控制垃圾邮件),那么我不会立即看到即时注册的任何其他缺点。