I'm building a website with HTML5, CSS, JavaScript, PHP and MySQL DB. I've created a login page and a 'create new user page' and would like to have an email send to active the user account. What I've built now is working but I would like to verify that I'm doing it safe enough.
When creating the user account I use this code:
$Allowed_Chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789./';
$Chars_Len = 63;
$Blowfish_Pre = 'xxxxxxxxxxx'; <- not sure if that is something I can share with anyone
$Blowfish_End = 'xxxxxxxxxxx'; <- not sure if that is something I can share with anyone
$Salt_Length = 21;
$mysql_date = date( 'Y-m-d' );
$salt = "";
for($i=0; $i<$Salt_Length; $i++)
{
$salt .= $Allowed_Chars[mt_rand(0,$Chars_Len)];
}
$bcrypt_salt = $Blowfish_Pre . $salt . $Blowfish_End;
$hashed_password = crypt($password, $bcrypt_salt);
$activationkey = crypt( $hashed_password . $uname);
(I use the hash_pass + uname to create a new hash for $activationKey, without salt.)
In the database I then store: uname, hashed_password, salt, activationkey and I set a flag that shows the account is NOT activated.
Then I send an e-mail to the user with the activationkey included.
When they user clicks the link I search for the e-mail addres and activationkey. If found I clear the activationkey field in the database and set the flag to show the user is activated and then redirect the user to the activation page.
Would love to hear your thoughts on this.
Gabrie