2

I need to create an activation system for a website. The user registers, gets an email, then clicks a link with a secret key in the query string, and a script on my end decodes it.

My question is not on the programming itself, but rather, what is a good way of generating the link? Hashing was a thought but it is one way. Should I be encrypting something? Does anyone who has been tasked with this same thing have any insight?

Is there a way to do it that both: Does not store any secret code in the database, Does not put any obvious user info in the query string

The user is in a table with primary key id and other info. It does not need to be insanely secure but should not be easily breakable. I'm doing this with php. I couldn't find a similar question so if I have overlooked one I would appreciate a link.

chiliNUT
  • 18,989
  • 14
  • 66
  • 106
  • check this here http://stackoverflow.com/questions/876139/how-to-generate-a-secure-activation-string-in-php – pregmatch Oct 21 '13 at 12:11
  • The safest way to do what you said is to use globally unique identifier (GUID, UUID, whatever the alias might be. In PHP there's a function called `uniqid()` that does something like that. MySQL on the other hand has a function called `UUID()`. Personally, I'd use MySQL's function to create `UUID()`, assign it to the record and then use that for sending out as an activation identifier. On the other hand, speed-wise, it's much more efficient to use PHP's `uniqid()` because it's shorter and indexing it will be more efficient. – N.B. Oct 21 '13 at 12:14
  • Update: about NOT storing anything to the database - it's possible. You could encrypt the ID somehow, but then you risk possible breakage of your encryption method. Choosing one of AES algorithms and a good key might be sufficient. That way you won't store additional data (activation link) but you have a problem of how to safely send encrypted data. You could go with `base64_encode` to encrypt the ID. The other idea is to have additional column (or table mapping to records) and use globally unique identifiers that you send out via email. – N.B. Oct 21 '13 at 12:51

1 Answers1

4

I have done this before by doing and md5 on the concatenated record id and email address. You could throw in a few extra characters or fields if you want. Then when the user clicks the link you just run the same select again to see if you get a match.

// generate the key
select md5(concat(id,email,'Some custom text')) as `verification_key` from ...

// verify the user
select * from user where '$verifikation_key' = md5(concat(id,email,'Some custom text'));

Then you can update the user record to mark as verified.

695Multimedia
  • 366
  • 1
  • 8
  • Thanks, our old system did not hit the table for activation so I was trying to avoid it, but this should work just fine for me. – chiliNUT Oct 21 '13 at 22:21