I am currently in the mist of developing a website using PHP and MYSQL. It is a private website therefore registrations must be allowed using emails. In simple terms if a new user has to be registered, the administrator has to go into the system and add an email address to be registered.
What I want to do is to create a token or a pass value when this does happen.
Here are the steps:
- Administrator adds an email to the system
- A unique token value is created (e.g. 1234567890)
- The token value is then sent to the users email
- the user goes on the link provided and enters his email and the token value
- If Success - User is allowed to register
- If Fail! - Token is regenerated and send again to that email address
What I really want to know is what would be the best practice to create a token and how can we ensure to create a unique token every time an email is registered.
For further security can I ensure that each token only live for a couple of hours. But would this prevent unauthorized access into the system, or this is a bad idea for securing my website?
My thoughts of creating a unique token: Use hashing algorithms that use SALT so the results cannot be predicted or decrypted (Problems with MD5)
Any help or a lead towards the right direction would be greatfull.