How should email address opt-in implemented?

Scenario:

User gives you an email addr开发者_JAVA技巧ess. Before they can sign up for services, they need to validate the email address - you email out a URL, they click on it, then they can subscribe to the services.

Questions:

What does the URL look like? I'm thinking a random guid would be OK.

Do you use that same random key for unsubscribe requests?

Are there any good open source implementations of double-opt in I should be looking at?

I've used a random GUID before such purposes to verify email accounts, and it works well. Unless you are dealing with ultra-secure, ultra-sensitive data then it should suffice. I see no reason not to use the same GUID for unsubscribe requests - that way you just need to store one GUID per account that can be a lookup to your subscribers database (or however you store them). You could add the unsubscribe link to the bottom of all emails, making it a simple one-click option.

This is pretty simple to implement with a random string and a GET request. I probably wouldn't use the same for unsubscribe, because you know most people are going to lose the original email. Do it the same way -- they say they want to unsubscribe, and it does so, but also sends an email saying you've been unsubscribed in case it was an accident.

Edit: You wouldn't even need to ensure a unique string, since you'd pass in the email address too.