How to create email verification URL in Java?

Question

Hi

I'm writing a web application in Java where at some point user can enter there email address to receive an email. My question is about the verification of this email address (so it's not about the validation!). I'm tagging this question also with google-app-engine, because the application will live there, but I don't think that matters too much.

Anyway, for people who have a google account I use the app engine's User API to verify that address, but for other people I would like to send a verification email, that provides them with an URL. Very standard I would think, but are there also standard ways to generate the URL? Or is just creating a hash of the email address, storing that in a database and putting it as a parameter in the URL sufficient?

Answer 1

Create a servlet that will check, given a key (say, some random string), whether that key is given out previously. The key needs to be crytopgraphically secure so that it cannot be guessed by an attacker wanting to pose as somebody.

Then, when someone signs up with an email, you send a link containing that key to the address they claim they own. If at some point in the future, the link you send arrives at your sever, you can record that event, and be confident that the email address is a correct one.

Answer 2

I wouldn't use e-mail hash in verification e-mail. That would be to easy to guess and someone could actually try to falsify that.

If I were to implement it, I would add random GUID and store it to the DB for verification. I don't know if it is standard way to do verification or not...