Registration with e-mail confirmation with token - PHP

Asked

Viewed 398 times

1

Currently, what is the best way (the most secure and efficient) to require the user to confirm the registration through a link sent in the email informed, what should I pay attention in this process, what steps should I follow, the token has a lot of relevance? or I can only use a function like this: $token = md5(uniqid(Rand(), true); available in php.net?

Something else, usually what is the lifetime of that token or what way I can use to validate it via link?

thought enter some fields like; token, date, status and use the registration id itself to create this validation, but I’m having doubts about generating new tokens or simply checking the date and status, keeping the same token always, this is a problem?

if someone can contribute somehow I thank!!!

php token md5

2 answers

1

Hello

Your thinking is correct with regard to concern for safety. But, do not exaggerate in terms of strategy. As you said Junior Silva you don’t have to be so strict.

Something else, usually what is the useful life of that token or which how can I use to validate it via link?

I usually have a user_history table where I store each user’s time and token and search before opening a new token. Only if the last time is 2 hours (for example), then create a new token and return it to the login application.

This logic works well for both API’s and standalone applications.

MD5 is still an excellent option for TOKEN’s while we don’t have quantum computing trying to break the passwords of any APP around.

  • Thank you for your help, advice noted, I’m taking into account all that was said to me!

-1

I believe your fears are complicating something that is not of such a magnitude, friend. You can create your token with md5 as well as with other types of hash and even create your own, it is up to you, only that this hash that in the case would be your token, needs to be an identifier of that process, you can pass it a kind of timestamp or you can have it in a database, but in the case of md5 it would not be possible to reverse engineer to get the time you spent on it, so I recommend something in the database, store this token in a column, in another put a datatime, this should be enough (recommend that this table is only for this and not the same that contains the records of users already validated)this way make the validation of this token and to your liking check the datatime to know if it is still valid or not comparing the value of when the token was generated and with the date and time at the time of validation with a simple condition, a if already resolves this, if everything is in agreement vc registers the user in the way you want, taking him to a page where he must inform complementary data as the registration of his access password and etc. A new token should be generated whenever a new pre-registration is performed, store also in this table a column that serves as an identifier, in the case of email, this can already avoid the generation of redundant and unnecessary pre-records for the same potential user. I hope you’ve given it a light, good luck.

  • Thanks for the advice! were helpful and helped me to simplify the process!!

Browser other questions tagged php token md5

You are not signed in. Login or sign up in order to post.