tags:

views:

1602

answers:

2
Q: 

PHP API Key Generator

Does anyone know of any API key generator script/class for PHP? The class should have method generate, that would generate a key and isValid() method, to check if the key is valid.

Thanks!

+4  A: 

just use something like this (pseudo code) sha1(salt + time + mac-addr + another salt + some other random data) crc32 or md5 would also work inestead of sha1 and store it in a database and then isValid() checks the db if the key exists?

thr  2009-09-19 12:30:47
That was my first thought :).
xpepermint  2009-09-19 13:14:21
Dont forget that you can't just take the SHA1 (or any other hash) checksum and check if it's "valid", unless you provide all the other data as well...
jcinacio  2009-09-19 13:32:23
you can't find mac address of the target computer if not on your local network. don't forget!
dusoft  2009-09-19 15:30:48
Why would you add multiple salts? That adds only in possibly confusing yourself, not in making anything more 'secure'.
nilamo  2009-09-19 15:32:14
@nimalo: You're 100% correct, I think I ment to type "other random data" or something there to.
thr  2009-09-19 17:54:23
+6  A: 

There are multiple ways to generate API keys. I've used following 3 methods depending on the applications,

  1. Base62(random). Generate a large secure random number and Base-62 encode it. The key looks like "w5vt2bjzf8ryp63t". This is good for self-provisioned system. You don't have to worry about collision and inappropriate keys. You have to check database to know if the key is valid.

  2. Base62(MD5-HMAC(key, Normalize(referer))). This works great if the API is only allowed from one site. Just check the HMAC of the normalized referer and you know if the key is valid, no database access. You need to keep the HMAC key secret to do this.

  3. Human assigned friendly names like "example.com". This works great if API users are required to own a domain or they are your corporate partners.

Please keep in mind that there is no security in API keys. It's just a name assigned to your API application. More and more people are using terms like "App ID" or "Dev ID" to reflect what it really is. You have to assign another secret key if you want secure your protocol, like consumer_key/consumer_secret in OAuth.

ZZ Coder  2009-09-19 15:28:41

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases