views:

258

answers:

4

Hi all

For a Web Application I'd like to generate an email validation link and send it to the user. Like on many public websites, the user should click it to validate his email address. Looks similar to this:

http://www.foo.bar/validation?code=421affe123j4h141k2l3bjkbf43134kjbfkl34bfk3b4fkjb43ffe

Can anybody help me with some hints about the proper generation of those validation tokens? Googling best practices turned out to be more difficult than I though it would be. The links should:

  • ... not require the user to log in first.
  • ... not reveal any login credentials to keep the application secure
  • ... allow me as a developer to efficiently validate the token. I'm pretty sure I need a way to extract the user identifier out of the code to meet this criteria. Don't I?

Furthermore, would you go for a random code, which is saved somewhere, or a generated code which I can recalculate for validation?

Thanks for any replies!

Matthias

P.S. I'm working with ASP.NET 3.5, in case there's an out-of-the-box feature to perform this.

+1  A: 

I would probably use a Guid. Just create a Guid (by calling Guid.NewGuid()), store it as the validation token for that user, and include it in the validation link.

Fredrik Mörk
+4  A: 

Some suggestions to get you started:

  • Use GUIDs
  • Use some sort of salted hash (MD5, SHA1, etc)
  • Use a random string of characters (the more characters the less likely you'll have collisions)
  • Store it in a database temporarily, and timestamp it so that it expires after a certain period of time
mgroves
+1 good and complete answer
Mercer Traieste
+1  A: 

The simplest way to do it is generate a GUID, store that in the database tying it to their user account and then give them a time-frame within which to click a link with that GUID in.

That validates they are the correct person without making the URL calculable whilst making it resistant to dictionary style attacks.

Garry Shutler
A: 

I construct the hash in a way that can be re-created:

 code = MD5( my_hash + user_email + register_timestamp )

Then send a link to http://example.com/validation/?code = 4kj34....

Validation does a lookup like:

 SELECT id 
 FROM users 
 WHERE 
   MD5( CONCAT( my_hash, user_email, register_timestamp ) ) = code
   AND activated = 0

If you get a single result, update their 'activated' field and sign them in. You can also do some math on their 'register_timestamp' field for a poor man's TTL

rooskie