how to verify user clicked on link in email that I sent him/her?

Question

This is a more focused question triggered by an earlier posting here. I need to authenticate a user\'s email address by proving he/she has access to it. I\'ve copied below a

Answer 1

In your user database you need to have a staging users table (or in the main users table add a column indicating whether the user is active and default the indicator to "no"). When the user first registers, you generate a unique hash code from part of the user's info, e.g. Use md5 on user primary key and name (or some other set of user's variables which you can get back by decrypting) . Make this hash code a query string parameter in the link you send to the user. Finally, when the user clicks on the link, get the hashcode from the query string, decrypt it and match the decrypted values to the user row in your database. If a match is found, set the "active" indicator to true, and presto. Alternately, if you used a staging table, then move the user record to the "active users" table which you use to do your authorization on.

Answer 2

I knew one link which has the best answer given by BalusC
Here is link:better answer.
I have implemented that in my project. Hope this will help others.

Answer 3

Replying to a unique email to verify someone's email has an inherent flaw, it can be faked (unless you check headers and ip). For example, I visit your site for registration. You tell me to reply at users-sc.1496854427.ckdpbmhncdlkjadkajfpecc-mylist=yourdomain.net@listdomain.com. I use a mail() function using spam bot to reply. Game Over. Purpose defeated.

Instead, you can send me a verification link on my register id. Something like example.com/verify?userid=1&hash=67gk65fs6714fgsHguj

In the users table:

id|username|status|onetimehash
--+--------+------+-------------------------
 1|testuser|    0 |67gk65fs6714fgsHguj

Now, in your verify call check userid and hash. If they match against values in your db, you can safely verify the user. For generating hash, you can take md5 or sha1 value of username mixed with some salt like timestamp or some random number.

UPDATE If you are going with the former solution, i.e, capturing user's reply to validate email, you will have to setup your own mail server. Fetchmail may help you. You will have to programmatically read the email headers and extract required info from the <to>,<from> or <subject> fields. Like userid=1496854427 and hash=ckdpbmhncdlkjadkajfpecc. You may need regex in this process. Once you have these values, its pretty straightforward, check them against database values.

Bottom-line is: Former method is not just more tedious, its also more vulnerable than the latter. Most webapps use the 2nd solution, as its cleaner and wiser.