I'm verifying user email address.
The way most people tell is to create some unique token store it in db and
send to user.
I'm doing it with just hashing (sha256) email addres with sitewide salt
and sending this hash to user.
Am i missing something or is this enough to verify?
A couple of things that might be worth a look (or not).
If someone finds out your salt, then they can reconstruct your hashes and flood your system. In this case you'd want to make sure that a user requested addition of their e-mail address to whatever you're creating. (That is, I wouldn't get rid of storing the hash in the DB altogether.)
Also, if the salt is the same, the hash will be the same if they request again from that same e-mail address. Do you want a different hash each time a request is made, even for the same e-mail address? You could concatenate the server date/time to the e-mail address before you hash it to make it different each time.
You can do that and if nobody gets the serverside salt, it's save. In the end it's email validation, and if you don't need to do it for legal reasons, there is no need to make it more complicated.
But it depends on your goals. Do want it to be extra safe? Do you want to be easy to implement? Do you want it easy to maintain? Are you thinking about execution time of your scripts?
BTW: One very nasty thing when having a long link in an email: There may be email cients which break your link, so maybe add the code along with the link and if the code is not completly transfered through the link, have a form where the user can add the code.
