How does confirmation email of user registration work?

Question

When you register yourself on any website, you get an email with a confirmation link in the inbox of the email address which is provided during registration. Only when you click on this link, then you will be able to login.

How does this work and how could I implement the same thing in Struts2?

Answer 1

There are probably a lot of different ways to do this. The requirements are that the "magic" confirmation links be very hard to synthesize. In other words, it should be the case that the only way to get a working confirmation link is to go through the sign-up procedure.

You could generate random (very big) numbers and use those as keys, but that is generally not very secure (because "random" usually doesn't mean "really random"). Another approach is to use "secret" information that only the authorized user and the site itself can know, and then hash that. A combination of those two approaches would also work.

So your site gathers registration information, then generates a big "magic" key and sends email. The key should be encoded into the URL you put in the email. (Web security "best practices" people generally don't like clickable URLs in email, so you may also want to transmit the key in such a way as to make it easy for people to cut and paste it into a special confirmation form.)

I've always kept the generated magic keys in a table, so that they can be marked as "used" once the new user has finished the confirmation process.

Answer 2

You mean verification e-mail so the user needs to confirm his e-mail address is valid?

If so, you can create a unique link and send it to the e-mail address. The link should be a script that will validate the code passed to it.

There's a lot of examples on the internet about this.