I'm struggling to google anything, and wondered if anyone here had any thoughts on this.

Users of this web app I'm making will have their user accounts created by someone else (you don't register yourself), and will be sent an email containing a link back into the site. They click this link and they can then set their own password, and from there they're in. So since you can therefore enter the site just by having access, or guessing, this link we send out, I'm wondering what the security implications might be.

I thought about creating a long string of random chars, unique in our database, that is added to a new account. This forms the URL that is sent. So they click that URL, they then have to enter the email address they're using and if the email matches the long code in the URL then I can let them in. There'd be a time limit on the code, if they haven't clicked it then it will time out after a month or so, and it's only good once.

Click here to activate your account and set your password: https://www.mywickedapp.com/activation/48rT23tfGDFRy433UY67gv48rT23tfGDFRy433UY67gv

It's not highly sensitive data here, just names and email addresses, and access to this web app - but without a personal relationship with the person that registers you, you can't do much with it. So there isn't much reason to want to hack in as far as I can see. But all the same I don't want to leave the door wide open as it were.

So a case-sensitive alpha-numberic 32 char string should be good enough for the link, right? Of course, I plucked "32" out of the air

I think Stinky you did something similar for 12S, but I can't rem what the email looked like now.

What you've outlined is the approach I've taken with my own apps, so I'd say go for it.

A 32-char, case-sensitive alphanumeric string is way overboard through -- that's 62 ^ 32 which is an insanely huge number of combinations. 10 chars should be more than sufficient. Also, if you're storing it in a database make sure that the collation is case-sensitive -- anything ending '_ci' is case-insensitive (hence the suffix), you want something like utf8_bin.

there's no cost to using 32 over 10 though is there? No significant storage space, nor calculation time really. Suppose I could say the same for 128 over 32 ...

There isn't a standard or reference for this sort of thing is there, that you're aware of?

Thanks for the collation headsup

If you're not storing a large number of them then no, storage space isn't going to be an issue. It will affect speed but again, for low traffic it's not going to be noticeable. One potential issue is that a really long URL might wrap in some email clients, and stupid users will somehow miss off the last bit of the URL (when cutting+pasting rather than clicking).

Not sure what you mean by a 'standard reference' -- for which bit?

well it's really cos the client was asking about what's a good length for this sort of thing, he was asking about whether there was a standard for it - I imagine there isn't.

Thanks for the input, Stick.

Well no, not that I'm aware of. For reference, goo.gl (the URL shortener) uses a 5-char case-insensitive string , which gives about a billion possible combinations. In the past I've used 8 chars, which gives a couple of trillion. 32 chars gives approximately 2 followed by 57 zeroes. I think the official term for that number is a 'metric crap-ton'.

I'll include that in the spec

All of that's fine, but I almost always just use the output of whatever hexdigest aglo I have sitting around. e.g. Digest::SHA1.hexdigest(user.id.to_s + rand() + Time.now.to_s) or some such thing.

It's overkill though.

Originally posted by Stickman

I think the official term for that number is a 'metric crap-ton'.

metric fuckton actually

Sorry, I always get metric and imperial units mixed up.