A simple question about e-mail confirmation and how to secure it

[bugzy]

Just a basic question guys. My 1st time to practice verifying an e-mail address..

 

I am using this code

 

$confirm_code = sha1(uniqid(rand())); 

 

I wonder if I still need to put sha1 on it or is it ok if it is just the random id?

[Pikachu2000]

What are you trying to secure it against?

[bugzy]

What are you trying to secure it against?

 

Pikachu2000 I just though hacker might do something really bad if the confirmation code was blatantly there? like force an account's e-mail to get unconfirmed again and stuffs like that..

[Pikachu2000]

The only way something like that could happen is if your code specifically allows it to happen. Typically, once an email address has been confirmed, either the code is deleted from the record in the database, or a flag field is set to indicate that the address has already been confirmed. Your code should be written to check for that condition before allowing login, account information edits, etc.

[bugzy]

The only way something like that could happen is if your code specifically allows it to happen. Typically, once an email address has been confirmed, either the code is deleted from the record in the database, or a flag field is set to indicate that the address has already been confirmed. Your code should be written to check for that condition before allowing login, account information edits, etc.

 

So putting sha1 there is already an overkill? the code is just updating the user's column "verified" to true/false.

[peipst9lker]

Just use a random token which is saved in a database and only valid for like 24hours or something.

Why would you use an encryption (sha1) ? There are no sensitive data inside which need to be encrypted.

This confirmation code is only to proof that the email recievant is valid.

[Christian F.]

sha1() is not encryption, it's hashing. Encryption is two-way, meaning you can decrypt to get the original content. Hashing is one-way, meaning there is no way to get the original content from a hash.

That said, there is no need to hash the unique code, since the value of the code is having the code itself. Since it does not have a content beyond itself. Even if you hash it, you have to store it in the database hashed, meaning it would be exactly the same as what the user needs to send to validate his/her email address.

 

Quite similar to putting a second lock on your door, in case someone was able to copy your key, but then linking it to the first lock. So that when anyone unlocked the first lock, the second lock would automatically unlock itself. In which case, there is no point to the second lock in this scenario.

 

Don't know if I've explained it so that its understandable, but if not please let me know.

[xyph]

You should use a cryptographically-secure random source.

 

rand() is based on time, and has very limited entropy. This means it's actually quite predictable.

 

If you're running this on a *nix server, you should use /dev/urandom

 

$handle = fopen('/dev/urandom','rb');
$raw = fread($handle, 16);
$token = bin2hex($raw);