views:

235

answers:

1

Am in the process of writing a server side Java program which would send an e-mail to a user with a confirmation URL (located in the body of the e-mail).

Have already created the servlet (which can send an e-mail) using the JavaMail API... Am wondering how I would design / implement the actual unique URL (where upon an end user's click, it launches a browser and states "Confirmed." in a web page)? The confirmed would have to match the end user's e-mail address (for verification purposes). Would I need to generate a token which would match with the User created in a database or would I use HttpSessions or Cookies appended to the URL?

Would appreciate it if someone could point me in the right direction...

Happy programming,

Mike

+1  A: 

If you can afford a database for this, the best approach should work like this,

  1. Before you send the confirmation email, create a record with the session ID as the key. You stored the Email address, expiration and all other information in the database. Encode the session ID in the confirmation link. You should also include instructions on how to enter the confirmation code manually when Email prohibits hot links. Short session ID should be used for manual entry.
  2. When user clicks on the link or enter the session ID manually, go to database to retrieve the session. If Email matches, not expired, user is confirmed.

In some other applications, we don't want create a database just for this so we create a HMAC (secret hash) of the Email address and use that as confirmation secret. The email needs to be provided in the link in this case.

HttpSession and cookies don't work because they may be gone when user clicks on the confirmation link days later.

ZZ Coder