I am almost done with this module. Here is my implementation.
Whenever the user register with my website. One link will be sent to her email address for activation.
I am little bit confused here. What should I include in the link so that I can identify the user uniquely. I should not include the userId itself. I am thinking to include current timestamp in milliseconds and map it with particular user. Does this sound good to you guys? Please provide me some better way. I know that this is very very basic functionality and it's been implemented tons of times in different websites. How did you implement it?
In case I continue with this way of implementation then this is how the database would look like.
- email address
- userId(FK from Login table)
- The Code To Identify The User Uniquely
Everytime user logs into the system we can verify emailAddress, password and she is active user or not.
This is how I am thinking to implement it. Please provide your thoughts.
Generate a long and unique key which is hard to guess (thus certainly not a timestamp). For example a MD5 of a random string. You can also use a preshared key. Store it in the database table along with the user ID and an expiration date (e.g. 24 hours later). Use that key as parameter or pathinfo in a link. When the page is opened, the key is captured from the link, the eventual preshared key is evaluated, the expiration date is evaluated and the user will be set to active. Then the key can be removed from the DB (it makes no sense to set the 'activated' in the key's table of the DB, keep it in the user table).
Thanks for your reply. I still have some doubts.
1) In case I use a Preshared key, I can ask the user to enter it at the registration time,right?
2) Is it good practice to expire the activation link? What is good/benefit of that?
Bauke Then the key can be removed from the DB
Is it because there is a chance of getting it repeated?
Bauke it makes no sense to set the 'activated' in the key's table of the DB, keep it in the user tableit makes no sense to set the 'activated' in the key's table of the DB, keep it in the user table
You mean we should keep it in only Login table, right?