时间敏感的令牌系统？

Question

Is there a way to be able to send a link through an email that includes a url parameter that verifies the link was sent by the server, and verifies that the link was clicked with a certain period of time after the token was generated?

Answer 1

You can do the following procedure:

1. generate a random, unique key, for each request from the user (or for each user you want to send the access to your server)
2. save the key, the email (or login) of the user, the time the token was generated;
3. send the key to the user, so he access your server throght a link

when the user access your server, you:

1. Verify if that link was used previously (if you want your link to be a one-time access only possibility)
2. verify when the token was generated and calculte if it's within the allowed time period (if it hasn't expired)
3. allow the user to access - do whatever you want
4. mark the token as used, if you want it to be used once.

Answer 2

You simply need a table to store the token,email addresss,date generated, date activated

when you generate the email you store the token email & generated date/time

in the email you put a url that contains a link to your web page and the token & email. eg:

http://mysite.co.uk/activate.aspx?token=jhsdjsdslkwww7474&email=blah@blah.com

The web page then has to find the token and email address check the date and update the date activated if it is valid.

Answer 3

I would store a random UUID in a distributed cache (for load balanced, multi-node system) and proceed as what woliveirajr mentioned above. You also need to make sure that users will not abuse your system, so having some provisioning in Load-balancer (F5) to detect human vs. programmatic requests will help introducing a level of protection. Modify your security policy as you deem necessary.

Answer 4

If a system was developed to generate unique keys, email out those keys and accept http requests from the email with those keys. Then yes.