0

Busy with an interface between business application and php web app. The business application will send a products file to the server which will be uploaded a few times a day. I want to append a unique key to the url that the web app first checks before doing anything. So business application and web app must use the same algorithm , to generate a simple key . any ideas ?

e.g.

www.phpwebapp/uploads/products/&file='C:/products.csv'&key='Abg1h35'

EDIT

Both apps need to produce the same key, hence i need a simple algorithim, even is its just based on the current day.

e.g.

date() + SALT = 'key';

Something a bit better than that.

Sebastien C.
  • 4,649
  • 1
  • 21
  • 32
Zaid Kajee
  • 712
  • 4
  • 9
  • 22
  • @JonathonReinhart This is not a dupe. A random string does not have to be unique. – amit May 09 '14 at 07:57
  • @amit Missed that, thanks. Retracted. – Jonathon Reinhart May 09 '14 at 07:58
  • Use a GUID/UUIDv4 with a good generator. Finished! i.e. see http://stackoverflow.com/questions/2040240/php-function-to-generate-v4-uuid/2040279#2040279 (note that the generation is *random*, which is good, change the base protocol to suite) – user2864740 May 09 '14 at 07:59
  • Do you just want a random string of characters? – Cully May 09 '14 at 08:00
  • 1
    It's unclear what the requirement is here. Two apps need to produce the same key independently? Or is this key pre-shared? Should it validate the content? Authenticate the submitter? What exactly is it for? – deceze May 09 '14 at 08:00
  • A random string not gonna help. Coz from what i understand is OP wants that both business application and web app generates the same key. If it is random, then its not gonna be same – pratim_b May 09 '14 at 08:02
  • Try searching for "generate a checksum for a file" – Cully May 09 '14 at 08:04
  • 1
    Why wouldn't the current date work? What are the requirements of your key? – Cully May 09 '14 at 08:07

1 Answers1

2

Sounds to me like you want something like request signing:

  1. generate a random secret key that you give to the authenticating app (ahead of time, shared secret)
  2. require that the authenticating app sends its current date as part of the request

  3. require that the authenticating app creates a hash of a concatenation of

    • the date sent in 2.
    • any other unique data that's part of the request
    • the secret key

    This will form your "unique key". Since you're looking at a message authentication code, you'll want an HMAC hash. E.g.:

    code = HMAC(date + data, secret key)

  4. verify that the date is within a certain tolerance, e.g. ±15 minutes

  5. repeat the same hashing algorithm
  6. compare the received hash with your hash

This way you can authenticate each request as being sent by the entity in possession of the secret key without sending the secret key over the wire, and each request has a unique authentication code.

deceze
  • 510,633
  • 85
  • 743
  • 889