I'm working on an application where users can register when they recieve an email invitation for the app. Right now what I do is generate invitation-codes that are sent to the users and stored in the database. The user then goes to the url given in the email which contain the invitation code, like this:
http://myapp.com/user/register/56jk4564k6567kj686kjh56
I was wandering if another aproaches are better, like storing only the email of the user and avoiding sending invitation codes.
Also, using the invitation codes, is there any need of encrypt them?
Invitation codes are probably best, as it serves to validate the email address, which means there is one less step to take when the user signs up. Normally you would have to send the user a secret code by email to check the email address is real - well, you've just done that!
One consideration is what happens if a user gets an invitation at one address then actually wants to use a different email address to sign up? Maybe they have more than 1 and want to use a different one? (work vs personal for instance) You'll need the code to validate the person is the same one.
As for Encryption, I wouldn't bother - if your database gets hacked and codes stolen it's easy enough to make new ones and send them out again.