views:

163

answers:

2

usually on any website after you register they send you an e-mail with an account activation code, is there somewhere some information/best-practices about this technique ?
like about how do you generate them, how do you store them, do you encode or not these activation codes ?

+1  A: 

Generated an activation code can be as simple as generating a random number with a fixed number of digits.

Personally I do this, then store the generated code in the users table of the database along with the username/password/email etc, so that it can be quickly verified when the link is clicked and your checking code run.

I usually go with a 'long' data type and generate 9-digit random numbers, and store these raw (not encoded) in the database for easy retrieval. Passwords should be encoded, but an activation code is a single-use, throw-away value so no need for any special consideration.

Psychic
it could happen that you generate same long value for 2 accounts, how about using Guid
Omu
That wouldn't matter, as the ID would only be used against the account name that you are activating. All you need is something that isn't guessable.
Psychic
A: 

IMHO, the best way of doing it not to store the key and generate it when you need it using a seed or a private key. Or use a MD5 digest kind of logic to use specific user params like, generate a string "username-email-id" and hash it and send it in the email when the user clicks it again, try to generate the key and match it against the user key. No need to storage and not possible to regenerate.

Teja Kantamneni