-1

I want to use authentication token, after various searches I found JWT token and another token generation method with md5.

Off for various reasons I do not want to use the token JWT and md5 seems to me to have a bad reputation.

So I found a method but I would like your opinion:

Generating a Byte String: https://www.php.net/manual/en/function.random-bytes.php

Then I convert that into Hexadecimal.

Finally, I concatenate that with the id of my user and salting.

I send this to my application (Android or web) than during a request to my service I decode the received token, and I will see the token contained in the id hidden in the token. So it is harder to find the token by brute force?

Note 1: that I would like to refresh the token by the future but for the moment it should be issued for an indefinite period.

Note 2: I do not want to use a library or framework just in php.

Code : 

$bytes = random_bytes(32);
$part=bin2hex($bytes));
$shortpart=substr($part,0,17);
$id = #userid
$salt=#customsalt
$token=shortpart.$id.$salt;

Example :

$shortpart =f2e4d1f2a2dfedcf5
$id=1
$salt=4d2ze121
$token=f2e4d1f2a2dfedcf514d2ze121

The user or hacker doesn't know is id is hidden in the token.

gulver
  • 11
  • 5
  • 1
    You need to show us the code that does this. Even recommended security measures can be vulnerable depending on the actual implementation and usage. – M. Eriksson Jun 05 '19 at 12:29
  • 1
    _"I not want use a library or framework just in php"_ - Why not? When it comes to security, it's usually recommended to use a well tested existing library instead of writing your own solution. It's too easy to miss something that will leave your application open for attacks. – M. Eriksson Jun 05 '19 at 12:31
  • I add a code example – gulver Jun 05 '19 at 12:35
  • First reason I would an open project, and some library use restrictive licenses. Secondly, I would like pure php with the strict necessary to the operation of the application – gulver Jun 05 '19 at 12:43
  • This has already been answered here: https://stackoverflow.com/questions/1846202/php-how-to-generate-a-random-unique-alphanumeric-string/13733588#13733588 – Tom Jun 05 '19 at 17:11
  • `$salt=#customsalt`? I guess it's a typo, that you mean `$customsalt`? How did you generate the salt? Generating a strong and proper salt is a complete topic by itself. Also, the line `$part=bin2hex($bytes));` has a closing parentheses too many. – M. Eriksson Jun 06 '19 at 11:55
  • Also, you're creating a random string that's 64 characters long and then only use the first 17? That doesn't make much sense. Please show us your _actual_ code (since the above would throw syntax errors and warnings on several lines). There's also multiple large libraries that allows you to use them in any type of project, both open and closed source so the "restriction" you're talking about isn't really an issue if you just look around a bit. – M. Eriksson Jun 06 '19 at 12:00

2 Answers2

0

Add one column in database table for time and calculate authtoken as:

$time = time();

and store this to database.

Encryption:

$encrypt = base64_encode($time.userid);

Decryption:

Get the time from table:

  $decrypt = base64_decode($encrypt);

Check this link.

double-beep
  • 5,031
  • 17
  • 33
  • 41
php guy
  • 113
  • 13
  • With this method I have in my database : token | time When i get a token from the client I take the time and I must count if i have a token with the time : time and the token : token ? The use a base64 is not so secure ? because we see == indicates the base so its easy to know the token is generated by the time and a number (the id) – gulver Jun 05 '19 at 13:02
  • Please don't use `time()` for things like this. Also, base64 isn't encryption, it's encoding, which is not the same thing. Generating tokens with salts etc isn't trivial. Not if you want it to be secure at least. – M. Eriksson Jun 06 '19 at 12:06
0

After some research I think the better method is:

$token = bin2hex(openssl_random_pseudo_bytes(32));

And custom this string.

double-beep
  • 5,031
  • 17
  • 33
  • 41
gulver
  • 11
  • 5
  • Since PHP 7, `random_bytes()` is actually recommended over `openssl_random_pseudo_bytes()` since the former is a part of the core, while the `openssl_*`-functions requires you to have openssl enabled. Other than that, there's not really a big difference so I'm failing to see how this is any kind of "solution"? It basically does the _exact same thing_ as you're already doing. Not to be mean, but I don't think you have enough knowledge to do this by your self. Cryptography isn't an easy subject and if you make one small and simple mistake, you can put your entire application at risk. – M. Eriksson Jun 06 '19 at 12:13
  • Hello @MagnusEriksson thanks for your reply, it's true I haven't enough knowledge in cryptography, so I ask for your help, to learn, I do not have a code at the moment but I would like to know if the method proposed by Tom with random_bytes () would be a good thing – gulver Jun 06 '19 at 18:32