Im currently in the mist of developing a website using PHP and MYSQL. Its a private website therefore registrations must allowed using emails. In simple tearms if a new user has to be registered. The administrator has to go into the system and add an email address to be registered.
What i want to create is a token or a pass value when this does happen.
Here are the steps:
- Administrator adds an email to the system
- A unique Toke value is created (e.g. 1234567890)
- The token value is then sent to the users email
- the user goes on the link provided and enters his email and the token value
- If Success - User is allowed to register
- If Fail! - Token is regenerated and send again to that email address
What i really want to know is what would be the best practice to create a token and how can we ensure to create a unique token every time an email is registered.
For further security i can ensure that each token Is only live for a couple of hours. But would this prevent unauthorized access into the system, or this is a bad idea for securing my website?
My thoughts of creating a unique token: Use hashing algorithms that use SALT so the results cannot be predicted or decrypted (Problems with MD5)
Any help or a lead towards the right direction would be greatfull.