Login/Register
New user email verification code (Best practices) [closed]
Asked Answered
Solved mysqlperformancespace-efficiency
P

1

7

I have been studying the best practices are for email verification of a user who is trying to register on a site. (I am running a laravel installation and this is happening in php, though this is more of a theoretical question). I have a few questions I would like to get some opinions on!

  1. Would there be any use in storing the activation keys longer than needed? As of now I have set it up to delete the key once the user activates his/her account.
  2. When I clear the data from the table, post activation, does the space get de-allocated? or is it just emptied?
  3. Is there a better way to do this process? (I had a vague idea of using a temporary "tokens" table with the key and the email ids as columns, a new row being added every time a registration occurs, which is then deleted once the user confirms (Or, after a particular timeout period)
  4. Ideally, what should be the size of the generated key? A simple 5 digit alpha numeric code can hold 60 million+ combinations, so is there any real need to hash this?

I've been researching this for a while, my aim is to make my system perfectly scalable and as efficient as I can make it. Any information/discussions are welcome.

Punishment answered 25/5, 2014 at 4:38 Comment(4)
Why a random downvote? My question is quite clear and I am not asking for code of any kind. I'm simply looking for the opinion of someone who has experience building applications of a very large scale.Punishment
I didn't downvote or vote to close, but some people think that "best practices" questions don't have any place on StackOverflow because they are subjective and opinion-based. Some say that Stackoverflow is for questions that have only one definite answer. I think that's too restrictive.Taxi
Ah well, I got what I wanted to know :)Punishment
"....Stackoverflow is for questions that have only one definite answer", I'm curious, is this a written guideline or is it their subject opinion :-)Tit
T
3

  1. If the user clicks on the activation code, and you delete it, then he forgets that he clicked it and clicks it again, he might be confused when the code is not recognized. I would let the activation code stay active until it expires, which would at least match the explanation that should be in your email.

  2. Deleting data from a MySQL table (assuming InnoDB) marks the space as ready to delete. Later, a background thread really deletes it and the space is available to be re-used. But as with any process of fragmentation, the space might be too narrow for most future rows. Eventually if you run OPTIMIZE TABLE, the table is copied over and this naturally defragments it.

  3. Yes, generate a unique key associated with the email. Let it expire in a fairly short time, perhaps 1 hour.

  4. I'd use UUID(). Users should click on a link in the email your app sends them -- the user should not have to type in the token. So it isn't a burden if it's long. UUID() is a good way to generate a strongly unique random token.

Taxi answered 25/5, 2014 at 5:27 Comment(1)
Thank you, that was very informative, especially point 4 and 2 :)Punishment

© 2022 - 2024 — McMap. All rights reserved.