user3721143 user3721143 - 1 month ago 17
PHP Question

PHP : This expire link has secure enougth?

<?php
// create this link for use in 1 hour
$plain_key = $member_id.date('Y-m-d H');
$key = password_hash($plain_key, PASSWORD_DEFAULT);

$create_link = 'https://.....?k='.$key;
?>


<?php
// This section for verify link key
$key_for_verify = $member_id.date('Y-m-d H');
if( password_verify($key_for_verify,$_GET['k']) )
{
// TRUE
}

// FALSE



Please guide me. If you have some idea.

Or your have some example. Please help , Thanks

Answer

It's better include timestamp in link, and embed authentication code using HMAC-SHA512/HMAC-SHA256. Then check if timestamp is not modified by user.

Generation script

// create this link for use in 1 hour
$unix_ts = time();

//convert to string
$unix_ts = $unix_ts . '';

//compute signature
$sig = hash_hmac('sha256', $unix_ts, SERVER_SECRET);

$create_link = 'https://.....?t='.$unix_ts.'&sig='.$sig;

Chekcing script

//check signature
$unix_ts_req = $_GET['t'];
$sig = hash_hmac('sha256', $unix_ts_req, SERVER_SECRET);

//check if signature match
if($sig === $_GET['sig'])
{
    $gap = time() - (int)$unix_ts_req;
    if($gap < 3600)
    {
        //valid
    }
    else
    {
        //expired
    }
}
else
{
    // url tempered
}

Code above act as example. Not tested.