Create Auth Tokens with PHP

By  on  

Working with OAuth and similar authentication protocols requires the use of temporary tokens which represent unique handshakes between multiple web services.  These tokens must be unique, securely stored, and the longer, the better.

Since I've been out of the PHP game for a while, I was researching how to create such tokens without additional libraries.  The following snippet does the trick:

// bin2hex(random_bytes($length))
$token = bin2hex(random_bytes(64));

/*
  Examples:

  39e9289a5b8328ecc4286da11076748716c41ec7fb94839a689f7dac5cdf5ba8bdc9a9acdc95b95245f80a00d58c9575c203ceb541507cce40dd5a96e9399f4a
  1c46538c712e9b5bf0fe43d692147004f617b494d004e29daaf33e4528f253db5d911a690856f0b77cfa98103c8231bffff869f179125d17d28e52bfadb9f205
  ...
*/

If you aren't using PHP7 or above, you can fallback to the following:

$token = bin2hex(openssl_random_pseudo_bytes(64));

Having the backing of OpenSSL for token generation gives confidence that the token will be unique.  Of course you can also do a storage check to ensure the token isn't already in use, but if you use a length of 64 or larger, the chances you repeat a token are incredibly slim!

Recent Features

  • By
    Responsive Images: The Ultimate Guide

    Chances are that any Web designers using our Ghostlab browser testing app, which allows seamless testing across all devices simultaneously, will have worked with responsive design in some shape or form. And as today's websites and devices become ever more varied, a plethora of responsive images...

  • By
    CSS vs. JS Animation: Which is Faster?

    How is it possible that JavaScript-based animation has secretly always been as fast — or faster — than CSS transitions? And, how is it possible that Adobe and Google consistently release media-rich mobile sites that rival the performance of native apps? This article serves as a point-by-point...

Incredible Demos

  • By
    MooTools ContextMenu Plugin

    ContextMenu is a highly customizable, compact context menu script written with CSS, XHTML, and the MooTools JavaScript framework. ContextMenu allows you to offer stylish, functional context menus on your website. The XHTML Menu Use a list of menu items with one link per item. The...

  • By
    Digg-Style Dynamic Share Widget Using MooTools

    I've always seen Digg as a very progressive website. Digg uses experimental, ajaxified methods for comments and mission-critical functions. One nice touch Digg has added to their website is their hover share widget. Here's how to implement that functionality on your site...

Discussion

  1. Thanks for sharing!

  2. Valtteri

    I’ve used this, because it’s produces a shorter string:

    $token = base64_encode(random_bytes(64));
    
    // Example:
    // yak91pYnDWkaDPEjGAOgGcdTA4ybHF+R+5KVcvgfuoAJz3QMmaxJfBYIkKT9zpSDRE6jfHMW9jahsw1b/aMXtw==
    

    Usually I replace + and / with - and _, so it doesn’t need encoding anywhere:

    $token = strtr($token, '+/', '-_');
    
  3. A word of advice: don’t use openssl_random_pseudo_bytes() as a fallback for random_bytes() in PHP 5.x, use the random_compat library instead: https://github.com/paragonie/random_compat.

  4. Thanks for the trick. How’s the random_compat compared to openssl_random_pseudo_bytes()

Wrap your code in <pre class="{language}"></pre> tags, link to a GitHub gist, JSFiddle fiddle, or CodePen pen to embed!