使用由 python uuid.uuid4 制作的密钥进行电子邮件验证是一种好方法吗? [英] Are E-mail verification with keys made from python uuid.uuid4 a good approach?

问题描述

我想在我的网站上进行电子邮件验证.

I would like to make e-mail verification in my website.

我计划向用户发送一封电子邮件，其中包含验证电子邮件地址的链接，其中验证链接我计划包含使用以下方法制作的密钥:

I plan to send an email to the user with a link to verify the email address, wherein verification link I plan to include a key made with:

str(uuid.uuid4())

验证链接将在一段时间后过期.

The verification link will expire after some time.

我的问题:

这是好的方法吗?安全、可靠?我必须检查 uuid.uuid4() 是唯一的吗?uuid.uuid4() 值作为 URL 的一部分是否安全?

is it good aproach? safe, reliable? do I have to check either uuid.uuid4() is unique? are uuid.uuid4() values safe for being parts of URL?

推荐答案

这是好的方法吗?安全、可靠?我必须检查 uuid.uuid4() 是唯一的吗?uuid.uuid4() 值作为 URL 的一部分是否安全?

is it good aproach? safe, reliable? do I have to check either uuid.uuid4() is unique? are uuid.uuid4() values safe for being parts of URL?

是的，这应该足以进行电子邮件验证.

Yes, this should be sufficient enough for email verification.

根据 Georg Schölly，

uuid4() 生成……一个随机的 UUID.发生碰撞的可能性真的非常非常小.足够小，你不应该担心它.问题是，一个糟糕的随机数生成器使它更有可能发生冲突.

uuid4() generates ... a random UUID. The chance of a collision is really, really, really small. Small enough, that you shouldn't worry about it. The problem is, that a bad random-number generator makes it more likely to have collisions.

谁随后引用了 Bob Aman，

坦率地说，在没有恶意行为者的单一应用程序空间中，地球上所有生命的灭绝将在您发生碰撞之前很久，即使在版本 4 UUID 上，即使您每秒生成相当多的 UUID.

Frankly, in a single application space without malicious actors, the extinction of all life on earth will occur long before you have a collision, even on a version 4 UUID, even if you're generating quite a few UUIDs per second.

所以我会说这对于电子邮件验证是安全可靠的.并且不需要确保 UUID4 是唯一的(但我在生成它时不会受到伤害).此外，只要 UUID 是十六进制编码的(其规范形式)，就可以安全地作为 URL 的一部分.

So I would say this is safe and reliable for email verification. And there should not be a need to make sure the UUID4 is unique (but I couldn't hurt to check when generating it). Also, as long as the UUID is hex-encoded (its canonical form), it is safe for being part of a URL.

这篇关于使用由 python uuid.uuid4 制作的密钥进行电子邮件验证是一种好方法吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！