Maxim Chernyak posted an article on his blog about creating an authentication token using PHP. I wouldn’t recommend using this method to do that though. Even if the pattern looks quite complex, a computer will figure out the pattern using a hand full of valid keys. It’s very difficult to come up with an algorithm which is difficult to hack.

If you can keep information from the user, which Maxims article assumes as well, you can use MD5 to generate keys. Simply add a string you keep secret to each key.

1
2
3
4
5
6
7
define('SECRET', "s3cr3t"); # don't actually use this value
 
function make_token() {
  $str = "";
  for ($i=0; $i<8; $i++) $str = rand_alphanumeric();
  return $str . md5($str . SECRET);
}
define('SECRET', "s3cr3t"); # don't actually use this value

function make_token() {
  $str = "";
  for ($i=0; $i<8; $i++) $str = rand_alphanumeric();
  return $str . md5($str . SECRET);
}

If you want a shorter key (16 chars), you may use:

1
2
3
4
5
6
7
8
9
define('SECRET', "s3cr3t"); # don't actually use this value
 
function make_token() {
  $str = "";
  for ($i=0; $i<7; $i++) $str .= rand_alphanumeric();
  $pos = rand(0, 24);
  $str .= chr(65 + $pos);
  return $str . substr(md5($str . SECRET), $pos, 8);
}
define('SECRET', "s3cr3t"); # don't actually use this value

function make_token() {
  $str = "";
  for ($i=0; $i<7; $i++) $str .= rand_alphanumeric();
  $pos = rand(0, 24);
  $str .= chr(65 + $pos);
  return $str . substr(md5($str . SECRET), $pos, 8);
}

Do note that a shorter key is less secure.

To validate you would do:

1
2
3
4
  function validate_token($str) {
    $rs = substr($str, 0, 8);
    return $str == $rs . substr(md5($rs . SECRET), ord($str[7])-65, 8);
  }
  function validate_token($str) {
    $rs = substr($str, 0, 8);
    return $str == $rs . substr(md5($rs . SECRET), ord($str[7])-65, 8);
  }

This code is not tested and may contain bugs

  6 Responses to “A better token algorithm with PHP”

  1. A secure token grid authentication PHP class

    Hello,

    I finally decided to clean and distribute to the community a token grid class in PHP. You can have a look on it on the PHPclasses.org repository, licensed in LGPL.

    You can produce a credit card sized printed token grid for each customer, and then each time they want to log in, we ask (in addition to the username and the password) the token at a specific position.

    Each token (by default 10×10 on one card) are calculated using an application id, a user id and the position in the grid. The token generation is based on a md5 of the parameters (you can have a look in the source code)

    Best regards, have a nice week-end.

    Any feedback welcome!

    André

    ReplyReply
  2. PHP Fatal error: Call to undefined function rand_alphanumeric()

    FAIL.

    ReplyReply
  3. Pmb: You didn’t copy the code from Maxim Chernyak.

    ReplyReply
  4. pmb – “PHP Fatal error: Call to undefined function rand_alphanumeric()

    FAIL.”

    its from maxims example.

    ReplyReply
  5. rand_alphanumeric is not a PHP function, it’s a custom function:


    // return random alphanumeric char
    function rand_alphanumeric() {
    $subsets[0] = array('min' => 48, 'max' => 57); // ascii digits
    $subsets[1] = array('min' => 65, 'max' => 90); // ascii lowercase English letters
    $subsets[2] = array('min' => 97, 'max' => 122); // ascii uppercase English letters

    // random choice between lowercase, uppercase, and digits
    $s = rand(0, 2);
    $ascii_code = rand($subsets[$s]['min'], $subsets[$s]['max']);

    return chr( $ascii_code );
    }

    So if this is in a class you will probably want to call it with something like $this->rand_alphanumeric().

    ReplyReply

 Leave a Reply

(required)

(required)

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code lang=""> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre lang="" extra="">

   

Questions? Just ask!

About the author

Hi, I'm Arnold Daniels. How nice that you like to know a bit more about little old me :).

I've spend a big part of my life behind a computer (and not playing games). I've learned a lot about databases, programming and system administration especially on. the LAMP stack (Linux, Apache, MySQL & PHP).

Have a look at what I'm working on now!
© 2012 Jasny · web development Suffusion theme by Sayontan Sinha