Generating Confirmation Code for an Email Confirmation

Generating confirmation code for an email confirmation

$random_hash = md5(uniqid(rand(), true));

That will be 32 alphanumeric characters long and unique. If you want it to be shorter just use substr():

$random_hash = substr(md5(uniqid(rand(), true)), 16, 16); // 16 characters long

Alternative methods to generate random data include:

$random_hash = md5(openssl_random_pseudo_bytes(32));
$random_hash = md5(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM));

// New in PHP7
$random_hash = bin2hex(random_bytes(32));

Best practices for email confirmation codes

When I need these kinds of tricks it is normally of one of two reasons, both mentioned by you:

As a key used for verification emails sent to the user
As a key used for password-reset links

Of course there would be numerous other occasions where you would consider using such a construction.

First of all, you should always use some kind of salt that is hidden and that only you know. Note that this salt should be different for each user. The salt could for example be calculated as sha256(something random). This salt should then be stored in the database along with the username and password (hashed with the salt).

What I would do when sending the password reset link is to create another salt (don't give the user access to anything hashed with your salt. He knows his password, so using bruteforce he could potentially figure out your salt). The other salt, which essentially is only a hash of a random string (you might wanna go for md5 here, as you mentioned that the length is an issue), should you then save into your database.

Often you can just get away with adding an additional column to your users table. This, however, also has a few problems, mainly that once the password has been reset or the user has been activated, you will remove the key from the database, which results in most rows having null values, which in turn brings some other trouble.

What this essentially boils down to:

Hash your users' passwords using a unique-for-the-user salt (and perhaps a global, secret salt).
Generate a key by hashing a number of random or pseudorandom sources like timestamps, mt_rand() or even random.org if you really want random stuff.
Never use your global salt or the salt that is unique to the user for hashing anything that the user gets access to, including password reset keys, activation keys, etc.

Please not that I am by no means a security expert, and I have probably forgotten a number of things, and I may have mentioned some very bad practice things. Just my 5 cents ;-)

How you create confirmation link for email?

I use similar practice, with the following differences:

I would make the URL, i.e. host.com/user/email/{code}/confirm secure, so that the user must login to verify himself. This ensures a bit more security. For example, if the user had typed a wrong email id while registering, that wrong person shouldn't be able to verify even after getting the mail.
Instead of searching by code, I would thus fetch the user by id (the id of the currently logged in user).
For the code, I use UUID.randomUUID().toString().

Also, it depends on personal choice, but I don't use an is_active flag. Instead, I have a roles set, in which I put "UNVERIFIED" role. That helps me populating the authorities of the user a bit more easily while using Spring Security. Another way would be just to check if the code is null or not.

email confirmation in node js

Save the confirmation code's expiration time with it in the database. Then, when you verify the code, also verify that it hasn't expired.

Generating Confirmation Code for an Email Confirmation