verify a user via e-mail in PHP

Question

I\'m actually creating a web application using PHP and seek help verifying a user. As with certain websites, when you register, an e-mail is sent to you with a confirmation

Answer 1

just like with CSRF protection you generate an unique token.

$token =  md5(uniqid(rand(), TRUE));

You store that value in your session for that email and when the user clicks link in email(you pass token via the query-string) you compare the two values.

To make it more secure you could just as with CSRF add a time-limit.

Answer 2

This is a very broad question, so we can only give a broad answer, but the general technique to do so is

1. insert the user's email address into your database but mark it as unverified
2. create a unique registration key and insert it into a different table just for these keys
3. send an email to the user's email address with a link to your site that passes this registration key as an argument (eg http://site.com/confirm.php?key=1234)
4. when that url is visited, mark the email as verified and remove the temporarily created registration key

Answer 3

Patricks answer is correct altough i want to point out that there are other possibilities!

You don't necessarily have to create and store a unique token in your database. This is data overhead that is only needed once.

You could also take advantage of one-way hashing.

For example send the user the code md5('my-secret-application-token'.$user_email_adress).

You can validate that just the same way but dont need to store a secret code.