Generating confirmation code for an email confirmation
$random_hash = md5(uniqid(rand(), true));
That will be 32 alphanumeric characters long and unique. If you want it to be shorter just use substr():
$random_hash = substr(md5(uniqid(rand(), true)), 16, 16); // 16 characters long
Alternative methods to generate random data include:
$random_hash = md5(openssl_random_pseudo_bytes(32));
$random_hash = md5(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM));
// New in PHP7
$random_hash = bin2hex(random_bytes(32));
Best practices for email confirmation codes
When I need these kinds of tricks it is normally of one of two reasons, both mentioned by you:
- As a key used for verification emails sent to the user
- As a key used for password-reset links
Of course there would be numerous other occasions where you would consider using such a construction.
First of all, you should always use some kind of salt that is hidden and that only you know. Note that this salt should be different for each user. The salt could for example be calculated as sha256(something random)
. This salt should then be stored in the database along with the username and password (hashed with the salt).
What I would do when sending the password reset link is to create another salt (don't give the user access to anything hashed with your salt. He knows his password, so using bruteforce he could potentially figure out your salt). The other salt, which essentially is only a hash of a random string (you might wanna go for md5 here, as you mentioned that the length is an issue), should you then save into your database.
Often you can just get away with adding an additional column to your users table. This, however, also has a few problems, mainly that once the password has been reset or the user has been activated, you will remove the key from the database, which results in most rows having null values, which in turn brings some other trouble.
What this essentially boils down to:
- Hash your users' passwords using a unique-for-the-user salt (and perhaps a global, secret salt).
- Generate a key by hashing a number of random or pseudorandom sources like timestamps,
mt_rand()
or even random.org if you really want random stuff. - Never use your global salt or the salt that is unique to the user for hashing anything that the user gets access to, including password reset keys, activation keys, etc.
Please not that I am by no means a security expert, and I have probably forgotten a number of things, and I may have mentioned some very bad practice things. Just my 5 cents ;-)
How you create confirmation link for email?
I use similar practice, with the following differences:
- I would make the URL, i.e.
host.com/user/email/{code}/confirm
secure, so that the user must login to verify himself. This ensures a bit more security. For example, if the user had typed a wrong email id while registering, that wrong person shouldn't be able to verify even after getting the mail. - Instead of searching by
code
, I would thus fetch the user byid
(the id of the currently logged in user). - For the code, I use
UUID.randomUUID().toString()
.
Also, it depends on personal choice, but I don't use an is_active
flag. Instead, I have a roles
set, in which I put "UNVERIFIED" role. That helps me populating the authorities of the user a bit more easily while using Spring Security. Another way would be just to check if the code
is null
or not.
email confirmation in node js
Save the confirmation code's expiration time with it in the database. Then, when you verify the code, also verify that it hasn't expired.
Related Topics
PHP Regex for Validating a Url
How to Parse Cdata HTML-Content of Xml Using Simplexml
Php/Pdo/Mysql: Inserting into Mediumblob Stores Bad Data
PHP Session Seemingly Not Working
Override External Product Url to "Add to Cart" Product Button
Getting the Difference Between Two Time/Dates Using PHP
Check If Value Exists Before Inserting into MySQL Db in a PHP Script
What Does a Leading Zero Do for a PHP Int
How to Parse Fixed Width Column Text in PHP
Turkish Characters Are Not Displayed Correctly
Differencebetween the | and || Operators
What Does It Mean to Run PHP in Quiet Mode
Detect If Uploaded File Is Too Large
Simple Xml Add Namespaced Child
Facebook Sdk V4 for PHP Minimal Example
Is There a PHP Function for Swapping the Values of Two Variables