Building Resilient Systems on AWS: Learn how to design and implement a resilient, highly available, fault-tolerant infrastructure on AWS.

Create Auth Tokens with PHP

By David Walsh on April 25, 2017

Working with OAuth and similar authentication protocols requires the use of temporary tokens which represent unique handshakes between multiple web services. These tokens must be unique, securely stored, and the longer, the better.

Since I've been out of the PHP game for a while, I was researching how to create such tokens without additional libraries. The following snippet does the trick:

// bin2hex(random_bytes($length))
$token = bin2hex(random_bytes(64));

/*
  Examples:

  39e9289a5b8328ecc4286da11076748716c41ec7fb94839a689f7dac5cdf5ba8bdc9a9acdc95b95245f80a00d58c9575c203ceb541507cce40dd5a96e9399f4a
  1c46538c712e9b5bf0fe43d692147004f617b494d004e29daaf33e4528f253db5d911a690856f0b77cfa98103c8231bffff869f179125d17d28e52bfadb9f205
  ...
*/

If you aren't using PHP7 or above, you can fallback to the following:

$token = bin2hex(openssl_random_pseudo_bytes(64));

Having the backing of OpenSSL for token generation gives confidence that the token will be unique. Of course you can also do a storage check to ensure the token isn't already in use, but if you use a length of 64 or larger, the chances you repeat a token are incredibly slim!

Recent Features

By Soledad PenadésJuly 22, 2014
From Webcam to Animated GIF: the Secret Behind chat.meatspac.es!
My team mate Edna Piranha is not only an awesome hacker; she's also a fantastic philosopher! Communication and online interactions is a subject that has kept her mind busy for a long time, and it has also resulted in a bunch of interesting experimental projects...
By David WalshOctober 9, 2013
5 Awesome New Mozilla Technologies You’ve Never Heard Of
My trip to Mozilla Summit 2013 was incredible. I've spent so much time focusing on my project that I had lost sight of all of the great work Mozillians were putting out. MozSummit provided the perfect reminder of how brilliant my colleagues are and how much...

Incredible Demos

By David WalshApril 1, 2010
MooTools Zoomer Plugin
I love to look around the MooTools Forge. As someone that creates lots of plugins, I get a lot of joy out of seeing what other developers are creating and possibly even how I could improve them. One great plugin I've found is...
By David WalshApril 22, 2015
Geolocation API
One interesting aspect of web development is geolocation; where is your user viewing your website from? You can base your language locale on that data or show certain products in your store based on the user's location. Let's examine how you can...

Discussion

Rafael Corrêa Gomes
Thanks for sharing!

Valtteri

I’ve used this, because it’s produces a shorter string:

$token = base64_encode(random_bytes(64));

// Example:
// yak91pYnDWkaDPEjGAOgGcdTA4ybHF+R+5KVcvgfuoAJz3QMmaxJfBYIkKT9zpSDRE6jfHMW9jahsw1b/aMXtw==

Usually I replace + and / with - and _, so it doesn’t need encoding anywhere:

$token = strtr($token, '+/', '-_');

Loz Calver
A word of advice: don’t use openssl_random_pseudo_bytes() as a fallback for random_bytes() in PHP 5.x, use the random_compat library instead: https://github.com/paragonie/random_compat.
Parth Patel
Thanks for the trick. How’s the random_compat compared to openssl_random_pseudo_bytes()

Create Auth Tokens with PHP

Recent Features

From Webcam to Animated GIF: the Secret Behind chat.meatspac.es!

5 Awesome New Mozilla Technologies You’ve Never Heard Of

Incredible Demos

MooTools Zoomer Plugin

Geolocation API

Discussion