Using special code to confirm new user registration

Question

When someone will register on my site, he will receive a confirmation link to let him finish registration. Idea I have is to make a column in table "Users" with randomly generated number. Next, I send a link to user's email, example link: http://example.com/confirm.php?user=newuser&code=54355345534
When he clicks on it, it checks his login and number from link wirh number in table Users.
It works OK, but i need extra column. Is this good idea? Second idea I had, it to use Salt as confirmation code, is this good or not?

Edit: Is possible to move this to https://security.stackexchange.com/?

Answer 1

This is probably better suited for security.stackexchange.com.

With that said... what's the problem with creating a new table that maps "unverified" user-ids to a large random number (perhaps a UUID) which is then sent to the user via e-mail? The cost of that solution should be minimal, so I don't see why you would bother implementing anything else.

There shouldn't be any real problem with sending the salt, but that depends on how you generate it; provided you are using a good PRNG it should be fine, theoretically. Otherwise, it could be an issue: for example, if you're using a sequential counter or a timestamp as the generator of the salt value, then that's not so good. The problem isn't that you're revealing the salt per se, but that you're leaking information that can allow malicious users to "guess" what the next validation token will be which means they will be able to verify their accounts without having a valid e-mail address.