Designing a “trial before signup” system securely
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
How can I implement a "trial before signup" user system safely?
My thoughts so far are:
- User clicks "Try product"
- Controller creates new
user
- sets
is_trial = true
- sets
trial_id = UUID()
- sets
- Set session/cookie
trial_id = user.trial_id
- Controller creates new
- Future visits check session/cookie for
trial_id
, load user if present and found else redirect to signup/start-trial page.
I think this will function fine barring two people generating the same UUID, but my worry is a user could edit their cookies trial_id
and spoof their way into someone else's (admittedly also trial) account.
I know the chance of someone guessing someone else's UUID is pretty small, but it's not impossible.
Is this how these systems are normally designed? How can I add more security?
authentication web-applications phoenix-framework
add a comment |
How can I implement a "trial before signup" user system safely?
My thoughts so far are:
- User clicks "Try product"
- Controller creates new
user
- sets
is_trial = true
- sets
trial_id = UUID()
- sets
- Set session/cookie
trial_id = user.trial_id
- Controller creates new
- Future visits check session/cookie for
trial_id
, load user if present and found else redirect to signup/start-trial page.
I think this will function fine barring two people generating the same UUID, but my worry is a user could edit their cookies trial_id
and spoof their way into someone else's (admittedly also trial) account.
I know the chance of someone guessing someone else's UUID is pretty small, but it's not impossible.
Is this how these systems are normally designed? How can I add more security?
authentication web-applications phoenix-framework
add a comment |
How can I implement a "trial before signup" user system safely?
My thoughts so far are:
- User clicks "Try product"
- Controller creates new
user
- sets
is_trial = true
- sets
trial_id = UUID()
- sets
- Set session/cookie
trial_id = user.trial_id
- Controller creates new
- Future visits check session/cookie for
trial_id
, load user if present and found else redirect to signup/start-trial page.
I think this will function fine barring two people generating the same UUID, but my worry is a user could edit their cookies trial_id
and spoof their way into someone else's (admittedly also trial) account.
I know the chance of someone guessing someone else's UUID is pretty small, but it's not impossible.
Is this how these systems are normally designed? How can I add more security?
authentication web-applications phoenix-framework
How can I implement a "trial before signup" user system safely?
My thoughts so far are:
- User clicks "Try product"
- Controller creates new
user
- sets
is_trial = true
- sets
trial_id = UUID()
- sets
- Set session/cookie
trial_id = user.trial_id
- Controller creates new
- Future visits check session/cookie for
trial_id
, load user if present and found else redirect to signup/start-trial page.
I think this will function fine barring two people generating the same UUID, but my worry is a user could edit their cookies trial_id
and spoof their way into someone else's (admittedly also trial) account.
I know the chance of someone guessing someone else's UUID is pretty small, but it's not impossible.
Is this how these systems are normally designed? How can I add more security?
authentication web-applications phoenix-framework
authentication web-applications phoenix-framework
asked Nov 25 '18 at 5:27
purplelulupurplelulu
18415
18415
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
I believe the method outlined is correct along with adding something such as JTW to either sign (to prevent tampering) or sign and encrypt the cookies.
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53464911%2fdesigning-a-trial-before-signup-system-securely%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
I believe the method outlined is correct along with adding something such as JTW to either sign (to prevent tampering) or sign and encrypt the cookies.
add a comment |
I believe the method outlined is correct along with adding something such as JTW to either sign (to prevent tampering) or sign and encrypt the cookies.
add a comment |
I believe the method outlined is correct along with adding something such as JTW to either sign (to prevent tampering) or sign and encrypt the cookies.
I believe the method outlined is correct along with adding something such as JTW to either sign (to prevent tampering) or sign and encrypt the cookies.
answered Nov 25 '18 at 9:03
purplelulupurplelulu
18415
18415
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53464911%2fdesigning-a-trial-before-signup-system-securely%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown