Login token with sha256

I need to create a login token that I can pass from site 1 to site 2 in a querystring. I don't need to transfer a username or id, I just need to know on site 2 that the user has a valid login on site 1.

I currently create the token like this

timestamp|sha256(timestamp+secret)

On site 2 i create a sha256 of the given timestamp+secret, and match it with the given hash. I also check the timestamp, and doesn't validate if it's older than 5 min.

Is this a reasonably safe way of doing it?

Would it be easy to crack open the sha256 and get the secret?

Answers


You can use an HMAC to provide an authenticated message between two parties that already have a shared secret key. What you have described is very similar to an HMAC, because its a type of Message Authentication Code. Although I would actually use an HMAC function to do this.

To crack an hmac you have to brute force secret using the the Authentication Code (the hashed part of the message). The attacker knows the timestamp, so they can keep guessing the secret. Just make the secret really large and very random, like some output from /dev/random is a good choice.


Need Your Help

Issue while starting WLDF Console Extension

java weblogic

Any fix to avoid this exception while starting WLDF Console? Thanks.

Insert data into Hbase using Stargate Rest

python rest insert hbase stargate

I'm using curl to access Hbase with REST. I'm having a problem in inserting data into Hbase. I followed the Stargate documentation but when I follow the same syntax it gives me 400/405 errors of Bad

About UNIX Resources Network

Original, collect and organize Developers related documents, information and materials, contains jQuery, Html, CSS, MySQL, .NET, ASP.NET, SQL, objective-c, iPhone, Ruby on Rails, C, SQL Server, Ruby, Arrays, Regex, ASP.NET MVC, WPF, XML, Ajax, DataBase, and so on.