Invitation using security key

Question

I would like to implement an invitation system for an ASP.NET application. The system administration can add email addresses that are saved in the DB associated to a security key. This security key is sent to the e-mail in a link. When the user clicks the link it can register a new account and everything goes on.

I am a security newbie, so I would like to know if there are simple and secure (it will not be NASA archive, obviously) ways to implement a mechanism like that.

Thank you!

Answer 1

I can think of two ways:

• Create a row in the database and put the ID of the row and the HMAC of the ID in the invitation. For example ?Register.aspx?UserId=3&hmac=54oreijwgoro564i3j2o543. Because the client can not reproduce the HMAC for another ID, he can not simply change the URL to register another user.
• Create a row with some random and unique string. Because the string is random, it is hard to guess. When the user requests ?Register.aspx?Code=grewgkrwgoerwgrew432, search the database for the row with that code. In some projects we use a guid as a random token, but I don't know how secure/random that is.