Login token with sha256
I need to create a login token that I can pass from site 1 to site 2 in a querystring. I don't need to transfer a username or id, I just need to know on site 2 that the user has a valid login on site 1.
I currently create the token like this
On site 2 i create a sha256 of the given timestamp+secret, and match it with the given hash. I also check the timestamp, and doesn't validate if it's older than 5 min.
Is this a reasonably safe way of doing it?
Would it be easy to crack open the sha256 and get the secret?
You can use an HMAC to provide an authenticated message between two parties that already have a shared secret key. What you have described is very similar to an HMAC, because its a type of Message Authentication Code. Although I would actually use an HMAC function to do this.
To crack an hmac you have to brute force secret using the the Authentication Code (the hashed part of the message). The attacker knows the timestamp, so they can keep guessing the secret. Just make the secret really large and very random, like some output from /dev/random is a good choice.