I would recommend having a field called something like "ActivationToken" and have a GUID generated. You can do this in SQL directly by calling the newid()
function, or in C# by calling Guid.NewGuid()
. This is a very unique/random value that is next to impossible to brute force.
So when the user registers, you would do something like:
insert into tblUsers (Username, Password, Active, ActivationToken) values ('johndoe', 'mypassword', 0, newid())
The link would be like: http://yoururl.com/Activate.aspx?token={yourActivationGuid}
Update tblUsers set Active=1 where ActivationToken={yourActivationGuid}
If your UserID is already a GUID, you could probably get away with just using that (such as if you're using aspnet_user tables). As for not allowing the login, just check if the Active flag is set to true. If not, disallow the login.
So to validate login you could do:
select * from tblUsers where Username="johndoe" and Password="mypassword" and Active=1