Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’m verifying user email address.
The way most people tell is to create some unique token store it in db and
send to user.
I’m doing it with just hashing (sha256) email addres with sitewide salt
and sending this hash to user.
Am i missing something or is this enough to verify?
A couple of things that might be worth a look (or not).
If someone finds out your salt, then they can reconstruct your hashes and flood your system. In this case you’d want to make sure that a user requested addition of their e-mail address to whatever you’re creating. (That is, I wouldn’t get rid of storing the hash in the DB altogether.)
Also, if the salt is the same, the hash will be the same if they request again from that same e-mail address. Do you want a different hash each time a request is made, even for the same e-mail address? You could concatenate the server date/time to the e-mail address before you hash it to make it different each time.