问题
I've got a web site sending someone a confirmation email.
Now in the email I would like to have a link the user has to click to confirm he received the mail.
I'd like to include the user's password (or some random code) into the confirmation address, so the user does not need to enter it by hand again, but if I do this, the password will end up in the browser history and the log files.
Is there any other way to get a confirmation link in an email to send information like a user name and password, without it ending up in the link somehow?
Is it, for example, possible to have an input form in an email and send the password as POST instead of GET?
回答1:
The way this usually works is that the confirmation email contains a link that includes a GUID (Globally Unique Identifier) of some sort. The GUID is associated with the user's account. When the link is clicked the web application simply sets the confirmation flag and logs the user in using the GUID rather than the usual username and password combination.
回答2:
Calculate a hex digest (e.g. md5) based on the user's id and the current time. Persist this code to a database or write a file with it as the filename, and include the user's ID and email address.
Set up a http handler (cgi, php, servlet, etc...) to receive GET requests based on a URI that looks something like "/confirm_email/{hexdigest}" or "/confirm_email.php?code={hexdigest}"
When a user needs to confirm their email, send a link to the above servlet containing the digest.
When someone links to this URI, retrieve the db record or file with the matching digest. If one is found the email address contained is now verified.
If you want to make it more robust: When a user verifies their email, change the hex digest to just be a hash of the email address itself with no salt. Then you can test if someone's email has changed and needs to re-verify.
回答3:
You can pass the GUID in the email. That particular GUID has to be associated with the user. Then when the user clicks the link the GUID is sent back to the application and can be captured as a QueryString. Extract the GUID an update that the user has been approved.
来源:https://stackoverflow.com/questions/212758/best-way-for-confirmation-email-links-to-submit-id