Questioning the Security of Activation E-mail

You know, I have been getting this thread and another one of mine mixed up?! (Happens when some of my threads seem to linger…)

In the past, I had asked, “How hard would it be for someone to guess your SessionID?” (My concern being that the SessionID is stored in a cookie locally on a user’s machine. So what is there to stop someone from simply editing their Session Cookie and in turn hi-jacking someone else’s session?! For example, DoubleDee’s SessionID in the Session Cookie is “1234” and I go into my cookie and change it to “6789” and then end up pretending to be “ULTiMATE”…)

I haven’t eaten in a day and I was dizzy enough before I realized I forget what this thread was originally about?! Oops!

Let me see if I can rebound…

You are correct that once a user activates his/her account and becomes a full-fledged Member, that this would no longer apply. (My code handles double-authentication attempts.)

Originally, I was concerned that someone could attempt a DOS attack and just start hammering my website with random links hoping to activate new Members.

Maybe re-read my Original Post to refresh your memory what I was thinking…

Here is the gist of what I said…

Sincerely,

Debbie

Re-read Raymond’s blog post – the keyspace for GUIDs is so large that it would take years to hit the first one unless you had billions of registrations. Even if they did then they would just be activating someone else’s account which might be disconcerting for the user but shouldn’t matter.

Furthermore, if I was going to DDOS your site I wouldn’t bother with anything that fancy – you can take down most web servers with a handful of slowloris bots.