Is this a good way to create a unique URL token in PHP.?

Question

I need to give access to a specific page of a website to un-registered visitors, when the admin sends a link with token (like we often see for account activation or password renewal).

Obviously, token needs to be unique as the token itself will dictate what is visible to the visitor (token will be stored in MySQL DB with access given, status, expiry, etc...)

This is what I have, mashed up together from multiple sources:

$key = '#}~*$/"$?&*(."*/[!%]/${"/}';
$unique = uniqid();       
$token = $unique.substr(hash('sha512',$unique.$key.microtime()), 0, 19);

It results in a 32 characters string, with the first 13 that can be reverse to get the time created and the last 19 for adding uniqueness.

Is this unique/secure enough.?

Is 32 long enough for an URL token.?

Answer 1

That seems way more secure than you could ever need it to be (don't know exactly what data you are trying to keep out). If you wanted, you could make the token usable for only one session or however many sessions you feel would be enough to give the visitor. You could make it so that if they use up the token they were given in one session but don't finish what they need to do, they need to get another to go back, if that's reasonable.

What you are doing is plenty for security, however. The only way someone can get the token is if they guess and those tokens are very hard to guess. Not really a huge deal unless you are overly concerned about pirates getting at your info. Since it's a url token, it will be visible to everyone in the email you send it or whatever. You obviously have to make it visible.

The only way you could make it even more secure is to give the user a token which they can use to create their own strong password that is hashed. Then you are not storing the password and it is more secure.