I would like to make e-mail verification in my website.
I plane to send to user email with link to activation, where in link I plan to include key made with:
str(uuid.uuid4())
which will be stored in table, where I also will store boolean indicating either user has used this link (activated the account) and the date which will stand for time when key expires.
My questions:
is it good aproach? safe, reliable? do I have to check either uuid.uuid4() is unique? are uuid.uuid4() values safe for being parts of URL?
is it good aproach? safe, reliable? do I have to check either uuid.uuid4() is unique? are uuid.uuid4() values safe for being parts of URL?
Yes, this should be sufficient enough for email verification.
According to Georg Schölly,
uuid4() generates ... a random UUID. The chance of a collision is really, really, really small. Small enough, that you shouldn't worry about it. The problem is, that a bad random-number generator makes it more likely to have collisions.
Who then quoted Bob Aman,
Frankly, in a single application space without malicious actors, the extinction of all life on earth will occur long before you have a collision, even on a version 4 UUID, even if you're generating quite a few UUIDs per second.
So I would say this is safe and reliable for email verification. And there should not be a need to make sure the UUID4 is unique (but I couldn't hurt to check when generating it). Also, as long as the UUID is hex-encoded (its canonical form), it is safe for being part of a URL.
来源:https://stackoverflow.com/questions/23711489/e-mail-verification-with-keys-made-with-uuid-uuid4-safety-and-uniquness-of-gen