I have a site where users must confirm their e-mail using a typical e-mail confirmation script with a specific (but long) Confirmation Link for each user that includes the usual hash parameter.
The problem I'm having is that some users are having problems with the long and complicated Confirmation Link due to the device they are using.
So I need to create an alternative way to generate the unique Confirmation Link for each user such that no pattern is obvious so that it cannot be figured out and abused.
I've been looking at Base62 encoding and decoding, but the one I found is based on numbers only, which would limit me to using the sequential unique User ID's, which then creates an obvious sequential pattern in the encoded results which could easily be abused.
Preferably, I want a solution that will not require me to alter the DB.
Ideally, I would like to basically create a shortened URL similar to how Bit.ly and other url shorteners create their unique URL's, but that can be encoded and decoded either off of the User ID, username, or e-mail, and preferably have the encoding/decoding "salted" with a unique key so that no pattern emerges in the encoded results.
EXAMPLE:
So instead of the confirmation link looking like:
http://domain.com/confirm?email=blah@blah.com&hash=1f3870be274f6c49b3e31a0c6728957f
I would like it to look like:
http://domain.com/confirm/Sg5rdn
Where I would then simply decode Sg5rdn to get the Username, User ID, or E-mail of the user and confirm them.
Is this even possible?
Instead, just create a table with confirmation codes. When a user should do a confirmation, create an unique code (using base62 or whatever), insert it into that table and assign it to the user id.
Then, when the user hits the confirmation link, just fetch the user id etc from the confirmation code table (and check that the code exists and still isn't confirmed etc).