securing 2 variables when passing a url
I have created a registration page using Security Assist which generates an email response to the applicants email address.
On receipt, the applicant is prompted to click on a link to verify their email, pretty standard stuff and this works fine.
When the link is followed, the url passes 2 variables; a user ID and a randomly generated 21 digit verification string UID, both values taken from the users submitted registration page.
The url points to a confirmation page which validates the two variable against a sql users record. This too works fine.
So, here is the problem.
I've noticed that if i manually change the id value in the url, say from 1 to 2 whilst on the confirmation page, user 2's detail placed on the page. This happens despite leaving the verification id unchanged.
So i'm asking how this is so when each record is holding a unique 21 character verification string?
Does the recordset not need both queries to validate? It seems perhaps not.
Any ideas on how I can remove this vulnerability?
(By the way, users do not log in to undertake verification, so there is no active session present.)