Generation of Email Validation Links

Question

For a Web Application I'd like to generate an email validation link and send it to the user. Like on many public websites, the user should click it to validate his email address. Looks similar to this:

http://www.foo.bar/validation?code=421affe123j4h141k2l3bjkbf43134kjbfkl34bfk3b4fkjb43ffe

Can anybody help me with some hints about the proper generation of those validation tokens? Googling best practices turned out to be more difficult than I though it would be. The links should:

• ... not require the user to log in first.
• ... not reveal any login credentials to keep the application secure
• ... allow me as a developer to efficiently validate the token. I'm pretty sure I need a way to extract the user identifier out of the code to meet this criteria. Don't I?

Furthermore, would you go for a random code, which is saved somewhere, or a generated code which I can recalculate for validation?

Thanks for any replies!

Matthias

P.S. I'm working with ASP.NET 3.5, in case there's an out-of-the-box feature to perform this.

Answer 1

Some suggestions to get you started:

• Use GUIDs
• Use some sort of salted hash (MD5, SHA1, etc)
• Use a random string of characters (the more characters the less likely you'll have collisions)
• Store it in a database temporarily, and timestamp it so that it expires after a certain period of time

Answer 2

The simplest way to do it is generate a GUID, store that in the database tying it to their user account and then give them a time-frame within which to click a link with that GUID in.

That validates they are the correct person without making the URL calculable whilst making it resistant to dictionary style attacks.