1. Yes, 2¹²⁸ is long enough.
2. No, GUID implementations are designed to generate unique GUIDs rather than random ones. You should use a cryptographically secure random number generator (e.g. RNGCryptoServiceProvider) to generate 16 random bytes and initialize a Guid structure with that.
3. Yes, it s an acceptable approach overall. Both will work.
4. Yes, if you don t give out any other clues
5. No, goto 2
6. No, it s pretty OK. You just need to use a cryptographically secure random number generator to generate the GUID.

1. No, GUIDs are not fully random, and most of the bits are either static or easily guessable.
2. No, they re not random, see 1. There is actually a very small number of bits that are actually random, and not cryptographically strong random at that.
3. It s not, see 1 and 2.
4. you can, but dont need to... see my solution at the end.
5. No, see 1 and 2
6. Yes.

What you should be using instead of a GUID, is a cryptographically strong random number generator - use System.Security.Cryptography.RNGCryptoServiceProvider, to generate long (say, 32 bytes) string of data, then base64 encode that.
Also, assuming this is some kind of registration with sensitive data, you d want to time limit the validity of the link, say 60 minutes, or 24 hours - depends on your site.
You ll need to keep a mapping of these values to the specific users. Then you can automatically present him with the proper form as needed. Dont need to do url rewriting, just use that as the user s identifier (on this page).
Of course, dont forget this URL should be HTTPS...

Btw, 只是一份说明——在电子邮件中采用某种形式文本的良好惯例,它解释说,用户应当点击匿名电子邮件中的联系,而且通常情况下,你的网址是发的,在点击空白后,他们永远不应进入密码......。

Oh, almost forgot - another issue you should consider is what happens if the user wants several emails sent to him, e.g. hits register several times. Can he do this over and over again, and get many valid URLs? Is only the last one valid? Or maybe the same value gets resent over and over again? Of course, if an anonymous user can put in a request for this email, then DoS may become an issue... not to mention that if he puts in his own email, he can put in any random address too, flooding some poor shmuck s inbox and possibly causing your mail server to get blacklisted...
No one right answer, but needs to be considered in context of your application.

我只建议使用一个简单的随机编号,例如从RNGCryptoserviceProvider.GetBytes。 GUIDs并不是完全任意的。 他们有固定的借项,有些版本使用你的MAC地址。 惠灵也使你可以选择使用超过128个轨道(但应当如此宽松)。

这可能是多余的,但你可以将其电子邮件地址与SHA1 (新指南是罚款),作为。 之后,当他们到达你的网页时,你可以要求他们发出电子邮件地址,检索指南,并改换面,以验证。 即便有人要知道什么电子邮件地址可以尝试,他们也永远无法在不了解你所给予的指导的情况下产生冲锋枪的碰撞(或者将给他们造成长时间的创伤): 当然,你必须拯救其电子邮件和数据库中的盐碱。

如果安全是头等大事,I d 查询,加密强烈随机生成物,并绘制随机特性示。 这还使yu独立于易于猜测的算法(作为指南)。 很容易发现攻击事件。