I have been studying the best practices are for email verification of a user who is trying to register on a site. (I am running a laravel installation and this is happening in php, though this is more of a theoretical question). I have a few questions I would like to get some opinions on!
I've been researching this for a while, my aim is to make my system perfectly scalable and as efficient as I can make it. Any information/discussions are welcome.
If the user clicks on the activation code, and you delete it, then he forgets that he clicked it and clicks it again, he might be confused when the code is not recognized. I would let the activation code stay active until it expires, which would at least match the explanation that should be in your email.
Deleting data from a MySQL table (assuming InnoDB) marks the space as ready to delete. Later, a background thread really deletes it and the space is available to be re-used. But as with any process of fragmentation, the space might be too narrow for most future rows. Eventually if you run OPTIMIZE TABLE, the table is copied over and this naturally defragments it.
Yes, generate a unique key associated with the email. Let it expire in a fairly short time, perhaps 1 hour.
I'd use UUID(). Users should click on a link in the email your app sends them -- the user should not have to type in the token. So it isn't a burden if it's long. UUID() is a good way to generate a strongly unique random token.