8.22. Confirming Requests via Email
You want to allow users to confirm a request via email while preventing third parties from spoofing or falsifying confirmations.
Generate a random identifier, associate it with the email address to be confirmed, and save it for verification later. Send an email that contains the random identifier, along with instructions for responding to confirm receipt and approval. If a response is received, compare the identifier in the response with the saved identifier for the email address from which the response was received. If the identifiers don’t match, ignore the response and do nothing; otherwise, the confirmation was successful.
The most common use for confirmation requests is to ensure that an email address actually belongs to the person requesting membership on some kind of mass mailing list (whether it’s a mailing list, newsletter, or some other type of mass mailing). Joining a mass mailing list typically involves either sending mail to an automated recipient or filling out a form on a web page.
The problem with this approach is that it is trivial for someone to register someone else’s email address with a mailing list. For example, suppose that Alice wants to annoy Bob. If mailing lists accepted email addresses without any kind of confirmation, Alice could register Bob’s email address with as many mailing lists as she could find. Suddenly, Bob would begin receiving large amounts of email from mailing lists with which ...