I would like to make e-mail verification in my website.
I plan to send an email to the user with a link to verify the email address, wherein verification link I plan to include a key made with:
str(uuid.uuid4())
The verification link will expire after some time.
My questions:
is it good aproach? safe, reliable? do I have to check either uuid.uuid4() is unique? are uuid.uuid4() values safe for being parts of URL?
is it good aproach? safe, reliable? do I have to check either uuid.uuid4() is unique? are uuid.uuid4() values safe for being parts of URL?
Yes, this should be sufficient enough for email verification.
According to Georg Schölly,
uuid4() generates ... a random UUID. The chance of a collision is really, really, really small. Small enough, that you shouldn't worry about it. The problem is, that a bad random-number generator makes it more likely to have collisions.
Who then quoted Bob Aman,
Frankly, in a single application space without malicious actors, the extinction of all life on earth will occur long before you have a collision, even on a version 4 UUID, even if you're generating quite a few UUIDs per second.
So I would say this is safe and reliable for email verification. And there should not be a need to make sure the UUID4 is unique (but I couldn't hurt to check when generating it). Also, as long as the UUID is hex-encoded (its canonical form), it is safe for being part of a URL.