I want to use hmac to authenticate a user by email The hmac will be stored in the database along with the userid.
$payload for decryption as well?Am I doing it right?
I don't get any string in the url querystring?
This is my testpage with the following
$secret = "dfjhglkhniuh65645";
$payload= "234|somedata";
$hmac = hash_hmac("sha2", $payload, $secret, true);
//$hmac = base64_encode($hmac);
if (! function_exists("hash_hmac")) {
echo "hmac function does not exist";
}
$uri="test.php?hash=$hmac";
if(!isset($_GET['hash'])){
header('location: ' . $uri);
exit();
}
echo "testpage<br><br>";
if(isset($_GET['hash']) && !empty($_GET['hash']))
{
$sig = $_GET['hash'];
$expected_sig = hash_hmac("sha2", $payload, $secret, true);
if($expected_sig === $sig)echo "verification succeeded";
}
These are the possible values for hashing algorithms. http://www.php.net/manual/en/function.hash-algos.php
I moved your code a little bit, and got rid of the raw output for hash_hmac (not sure why you wanted that) and it works for me.
<?php
if (!function_exists("hash_hmac")) {
echo "hmac function does not exist";
die();
}
$secret = "dfjhglkhniuh65645";
$payload = "234|somedata";
$hmac = hash_hmac('sha256', $payload, $secret);
$uri = "test.php?hash=$hmac";
if (!isset($_GET['hash'])) {
header('location: ' . $uri);
exit();
}
echo "testpage<br><br>";
if (isset($_GET['hash']) && !empty($_GET['hash'])) {
$sig = $_GET['hash'];
$expected_sig = hash_hmac("sha256", $payload, $secret);
if ($expected_sig === $sig) {
echo "verification succeeded";
}
}