1

At first I think that we can send user a link having a random numbers and save those similar codes in the cookies so when the user click on that link come back to our site and through GET method we can check if the code matches or not. BUT there is a little problem that the user can enter anybody's email address and when the confirmation is asked he can just see the cookie and make a link so it not that secure.

Do anybody know what to do with this problem.

Havelock
  • 6,500
  • 3
  • 34
  • 41
Paras
  • 635
  • 5
  • 15
  • 4
    Why save those in cookies? Send them a random number in email and save that in your database against their email id. When someone enters both email and code correctly, that's a valid verification – Hanky Panky Jun 29 '14 at 09:22

1 Answers1

3

I use a function like this to generate an email token. I use 20 characters, you can use more. Then I store it in the database in that user's record.

## function to generate token ##
function generateRandomString($length = 20) {
    $characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
    $randomString = '';
    for ($i = 0; $i < $length; $i++) {
        $randomString .= $characters[rand(0, strlen($characters) - 1)];
    }
    return $randomString;
}

Upon validation, the token is passed via the URL - captured and compared with the database field. If it's a match, the email is validated. If not, it fails.

wribit
  • 585
  • 1
  • 5
  • 17
  • $randomString .= $characters[rand(0, strlen($characters) - 1)]; you put .= in this what does . means here – Paras Jun 29 '14 at 13:00
  • consider this thread: http://stackoverflow.com/questions/2202331/what-is-the-difference-between-and-in-php. Basically, it concatenates the strings returned by the expression each time the for loop is processed. – wribit Jun 29 '14 at 13:04
  • @Paras since this string is being built in a loop one by one character you want to concatenate each new character at the end of the string rather than overwriting the whole string. `.=` means append this new character at the end of existing string. – Hanky Panky Jun 29 '14 at 14:38