All geek questions in one place

Creating Email Verification Links

For a web application, I would like to create an email verification link and send it to the user. As with many public websites, the user must click on it to verify their email address. It looks something like this:

http://www.foo.bar/validation?code=421affe123j4h141k2l3bjkbf43134kjbfkl34bfk3b4fkjb43ffe

Can someone help me with some tips on correctly generating these validation tokens? Googling best practice turned out to be harder than me. Links should:

  • ... does not require the user to log in first.
  • ... do not show any credentials to ensure the security of the application.
  • ... Let me, as a developer, effectively validate a token. I'm sure I need a way to extract the user ID from the code to meet these criteria. Is not it?

Also, would you choose a random code that was saved somewhere, or a generated code that I can recount for verification?

Thanks for any answers!

Matthias

PS I work with ASP.NET 3.5, if you have a ready-made function.

+3
source share
4 answers

Some suggestions to help you get started:

  • Use GUID
  • Use some salty hash (MD5, SHA1, etc.)
  • Use a random string of characters (the more characters, the less chance of collision)
  • , .
+5

- GUID, , , GUID.

, , URL, .

+2

, :

 code = MD5( my_hash + user_email + register_timestamp )

http://example.com/validation/?code= 4kj34....

:

 SELECT id 
 FROM users 
 WHERE 
   MD5( CONCAT( my_hash, user_email, register_timestamp ) ) = code
   AND activated = 0

If you get a single result, update your "activated" field and sign it. You can also do some math in the "register_timestamp" field for a poor person TTL

+2
source

I would probably use Guid. Just create Guid(by calling Guid.NewGuid()), save it as a verification token for this user, and include it in the verification link.

+1
source

Source: https://habr.com/ru/post/1712561/

More articles:


All Articles