创建用于电子邮件确认的唯一ID

Question

I need to create a unique ID for email confirmation, so when the customer click on the link it takes them to a page to enter their email, once they entered their emails, an email will be sent to them. A link is included in the email and by getting into the link they can change their password. its the process , but I need you to confirm my steps, first I generate a random number and add it to db associated to user's id, if that page is opened then I allow them to change password right ?

Answer 1

为此使用java.util.UUID。

Answer 2

Your procedure is almost correct. You should take care of following points though:

1) Make the key unpredictable, so that even with knowledge of the code, nobody can create it's own valid key. Since you are storing the key in the database anyway, you can create a "really-random" key, that's much better than using known values, like email and userid. Password reset functions are often the weakest link in the security of a web application.

// this (untested) code reads from the OS random source to create a random id
function createRandomKey($length)
{
  $buffer = mcrypt_create_iv($length, MCRYPT_DEV_URANDOM);
  $encodedBuffer = base64_encode($buffer);
  return substr($encodedBuffer, 0, $length);
}

2) Do not store this random-key in the database directly, instead handle it like a password and store a hash from it. That helps in case that an attacker can read your database (SQL-injection), even then he won't get all the keys for free.

3) Give each key an expiry date, so "forgotten" keys cannot be used anymore.

4) A password reset key should be removed after using it, so delete it from the database after the password was successfully changed.

Edit:

Sorry, i missed the Java tag in your question and my example is in PHP. Unfortunately i cannot provide an example in Java, but the principle is the same.

Answer 3

I've used PHP for this. I generally created a hash of some sort of tracking info I can verify later. Like using an MD5 or SHA1 hash on the Email Address, or user ID. Or if you want you can just combine the two:

Java Script: hex_md5(random_number + user_id + something_else);

PHP: md5($email.$userID.$unique_server_key);

That should give you a unique key to track them by. Save this in your database as well as the variables used to generate it so you can track it later. I highly suggest the PHP version as since its server-side it will help keep malicious users from knowing your token generation algorithm.

JavaScript hash library: http://pajhome.org.uk/crypt/md5/

EDIT: Sorry, I too assumed the wrong language. For java you need to use a crypto library to generate a hash. Try this code (untested, I just typed it in)

import java.security.*;
.....
string hash = unique_salt_key.concat(user_id).concat(email);
byte[] hashBytes = hash.getBytes("UTF-8");
MessageDigest md = MessageDigest.getInstance("MD5");
byte[] emailCrypt = md.digest(hashBytes);
string emailToken = new String(emailCrypt)

I believe thats the correct use of the MD5. I just use the variables user_id and email as they are allready saved in your database. And using more then one constant from the database is best. Sorry if I'm a bit rusty on my java.

Answer 4

import java.security.*;
.....
string hash = unique_salt_key.concat(user_id).concat(email);
byte[] hashBytes = hash.getBytes("UTF-8");
MessageDigest md = MessageDigest.getInstance("MD5");
byte[] emailCrypt = md.digest(hashBytes);
string emailToken = new String(emailCrypt)



How to decrypt it again to get user_id and email?