[hcs-d] User Authentication - Random String

Matt Di Pasquale pasquale at fas.harvard.edu
Wed May 27 22:23:36 EDT 2009

Wow, thanks for all the replies. Unfortunately, aiming for inbox zero, i
recently added filters w/ archive (on gmail) to email list emails. haha...
so it took a while for me to notice them. i'll have to modify those filters

anyway, i decided to go with php's uniqid() since it's a linux server and i
don't think i'll have many people signing up at once... also, i checked the
php source code to see how uniqid() is implemented (see attached if
interested). it uses c's gettimeofday() and then spprintf(&uniqid, 0,
"%s%08x%05x", prefix, sec, usec). I guess that's some kind of hash
formatting, like Andy says.

also. i do a check like Keven says to make sure it's unique. just incase
more than one person signs up in the same microsecond!

I also saw they did this check in phplist (I downloaded the source code for
that.). They also use uniqid(), but with extra arguments.

here's the relevant part of my code:

      $ekey = uniqid();

      // Make sure ekey is really unique
      while (true) {
        $dup_key = $mysqli->query("SELECT ekey FROM email WHERE
        if (!$dup_key) {
          $message = '<strong>Server Error</strong>: Please try again.';
          $status = 'error';
          report('MySQL Error', "Could not execute SELECT ekey FROM email
WHERE ekey='$ekey'");
        } else if ($dup_key->num_rows > 0) {
          $ekey = uniqid();
        } else {

Grant, that HMAC method seems cool. does that mean you don't have to store
the uniqid in the database? I was thinking there's probably someway to
generate a uniqid from the id that i use as a primary key and their email
address. i also get their ip that they registered from and the timestamp
that they registered. all these are permanent and the email id and email are
guaranteed unique. I don't really grasp hash functions that well (if you
give them unique args, are they guaranteed to return unique values?), and i
don't really understand how to implement it with HMAC or how to use that
function. Do you have example code? also, i thought it might be faster
(eventhough it takes up more space) to just get the key from the database
instead of having to generate it every time. what do you think?

thanks all, and feel free to make comments or suggestions.


On Wed, May 27, 2009 at 7:22 PM, Greg Brockman
<gregory.brockman at gmail.com>wrote:

> > ...was also very bad on Windows platforms...
> but then again, what isn't?
> > Matt Di Pasquale wrote:
> >> I checked out the datamatch app...
> >>
> >> so, you enter your email, and it sends you a link to your user page. the
> >> link has a random string:
> >> http://harvard09.com/datamatch/vote.php?verify={random<http://harvard09.com/datamatch/vote.php?verify=%7Brandom>
> >> <http://harvard09.com/datamatch/vote.php?verify=%7Brandom> string here}
> >>
> >> I want to implement something like this for an email list signup.
> >> that way, i can only require inputting email address to signup (no
> >> password).
> >> then, their settings page (where they can unsubscribe, change email,
> >> etc.) can just have a random string appended to the url. aweber does
> this.
> >>
> >> how is this implemented? what exactly is the best way to implement
> >> something like this?
> >>
> >> I did some research online and found UUID.
> >> (http://en.wikipedia.org/wiki/Universally_Unique_Identifier)
> >>
> >> mysql has a UUID() function.
> >>
> http://dev.mysql.com/doc/refman/5.0/en/miscellaneous-functions.html#function_uuid
> >>
> >> Do you recommend I use that or PHP's uniqid() function
> >> (http://us3.php.net/uniqid)
> >>
> >> and if i use these methods, do I need to also make the field in the
> >> mysql database UNIQUE? or is it safe to assume that the returned string
> >> is unique.
> >>
> >> So, how this works then is this:
> >> when they sign up, store their email. but also store a unique string
> >> generated by some function. (which function is best to use in this
> >> case?) uniqid seems faster.
> >>
> >> also, do i have the general idea correct?
> >> obv. you would also store this in the $_GET array so that it gets passed
> >> to url or whatever... that was kinda backwards but u know what i mean.
> >> haha...
> >>
> >> Thanks!
> >>
> >> -Matt
> >>
> >>
> >> ------------------------------------------------------------------------
> >>
> >> _______________________________________________
> >> hcs-discuss mailing list
> >> hcs-discuss at lists.hcs.harvard.edu
> >> http://lists.hcs.harvard.edu/mailman/listinfo/hcs-discuss
> > _______________________________________________
> > hcs-discuss mailing list
> > hcs-discuss at lists.hcs.harvard.edu
> > http://lists.hcs.harvard.edu/mailman/listinfo/hcs-discuss
> >
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.hcs.harvard.edu/pipermail/hcs-discuss/attachments/20090527/4628f18b/attachment.htm 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: uniqid.c
Type: application/octet-stream
Size: 2741 bytes
Desc: not available
Url : http://lists.hcs.harvard.edu/pipermail/hcs-discuss/attachments/20090527/4628f18b/attachment.obj 

More information about the hcs-discuss mailing list