New user email verification code (Best practices) [closed]

Question

I have been studying the best practices are for email verification of a user who is trying to register on a site. (I am running a laravel installation and this is happening in php, though this is more of a theoretical question). I have a few questions I would like to get some opinions on!

1. Would there be any use in storing the activation keys longer than needed? As of now I have set it up to delete the key once the user activates his/her account.
2. When I clear the data from the table, post activation, does the space get de-allocated? or is it just emptied?
3. Is there a better way to do this process? (I had a vague idea of using a temporary "tokens" table with the key and the email ids as columns, a new row being added every time a registration occurs, which is then deleted once the user confirms (Or, after a particular timeout period)
4. Ideally, what should be the size of the generated key? A simple 5 digit alpha numeric code can hold 60 million+ combinations, so is there any real need to hash this?

I've been researching this for a while, my aim is to make my system perfectly scalable and as efficient as I can make it. Any information/discussions are welcome.

Answer 1

1. If the user clicks on the activation code, and you delete it, then he forgets that he clicked it and clicks it again, he might be confused when the code is not recognized. I would let the activation code stay active until it expires, which would at least match the explanation that should be in your email.

2. Deleting data from a MySQL table (assuming InnoDB) marks the space as ready to delete. Later, a background thread really deletes it and the space is available to be re-used. But as with any process of fragmentation, the space might be too narrow for most future rows. Eventually if you run OPTIMIZE TABLE, the table is copied over and this naturally defragments it.

3. Yes, generate a unique key associated with the email. Let it expire in a fairly short time, perhaps 1 hour.

4. I'd use UUID(). Users should click on a link in the email your app sends them -- the user should not have to type in the token. So it isn't a burden if it's long. UUID() is a good way to generate a strongly unique random token.