douyouchou1085
2011-11-19 13:30 阅读 83
已采纳

验证未经验证的电子邮件地址?

Say a user registers on a site with an email address that needs to be verified first before accepting the user's registration.

The general approach is to send an email to the email address provided. The user then checks his/her inbox and clicks a link that would tell the site that the email address is valid. Usually, the link would have some sort of code embedded in it that tells the site whether it's a legit validation of the email address.

My question is about the code. What's the best way to implement it? Some ideas:

  1. A random string is generated when a new address is entered into the site. This random string is stored in the the DB and then emailed to the registrant. The link in the email will contain the random string as part of the URL.
  2. The email addressed is hashed. This means nothing needs to be saved in the database because the application will know how to unhash this. (My concern with this approach is if the user later changes his email address to something he previously entered, the hash would be the same. Not sure if this poses some sort of security threat.)
  3. Some other approach?

I'm looking for general advice to this problem.

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享

2条回答 默认 最新

  • 已采纳
    duannue2455 duannue2455 2011-11-19 13:34

    Number one, the random string, is the safest (and AFAIK, the most common) way to go: It makes it completely impossible to maliciously do things to E-Mail addresses that I haven't received the E-Mail for.

    Also, you can remove the random string after successful completion, making it clear that that particular address doesn't need activation any more.

    点赞 评论 复制链接分享
  • douyuepa192093 douyuepa192093 2011-11-19 13:34

    i'm using 1st approach every time

    1. Create a random code
    2. Store it at DB
    3. Mail it to user with clickable link like activation.php?key=blabla
    4. At activation page let user able to enter it manually too
    5. At submit compare the keys
    6. Activate user
    7. If user change mail adress return 1
    点赞 评论 复制链接分享

相关推荐