Create Auth Tokens with PHP
Working with OAuth and similar authentication protocols requires the use of temporary tokens which represent unique handshakes between multiple web services. These tokens must be unique, securely stored, and the longer, the better.
Since I've been out of the PHP game for a while, I was researching how to create such tokens without additional libraries. The following snippet does the trick:
// bin2hex(random_bytes($length)) $token = bin2hex(random_bytes(64)); /* Examples: 39e9289a5b8328ecc4286da11076748716c41ec7fb94839a689f7dac5cdf5ba8bdc9a9acdc95b95245f80a00d58c9575c203ceb541507cce40dd5a96e9399f4a 1c46538c712e9b5bf0fe43d692147004f617b494d004e29daaf33e4528f253db5d911a690856f0b77cfa98103c8231bffff869f179125d17d28e52bfadb9f205 ... */
If you aren't using PHP7 or above, you can fallback to the following:
$token = bin2hex(openssl_random_pseudo_bytes(64));
Having the backing of OpenSSL for token generation gives confidence that the token will be unique. Of course you can also do a storage check to ensure the token isn't already in use, but if you use a length of 64 or larger, the chances you repeat a token are incredibly slim!
Thanks for sharing!
I’ve used this, because it’s produces a shorter string:
Usually I replace
+
and/
with-
and_
, so it doesn’t need encoding anywhere:A word of advice: don’t use
openssl_random_pseudo_bytes()
as a fallback forrandom_bytes()
in PHP 5.x, use therandom_compat
library instead: https://github.com/paragonie/random_compat.Thanks for the trick. How’s the
random_compat
compared toopenssl_random_pseudo_bytes()