SitePoint Sponsor

User Tag List

Results 1 to 3 of 3

Hybrid View

  1. #1
    SitePoint Evangelist
    Join Date
    Mar 2011
    Location
    Bellingham, WA
    Posts
    450
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    oAuth and consumer secrets

    Hello!

    I'm implementing a third party application to an LMS. Users sign up for the LMS and my site separately. However, I'm integrating them so that a user can sign into the LMS, and after an initial log in be automatically logged in to the LMS every time that they log into the LMS. To make sure that the user in the LMS is authorized to get into my site, they have a consumer key and secret which I then check using oAuth. As part of the oAuth process (this is my first time using oAuth), both the user and I have to have a plaintext copy of the secret. I'll keep my copy in my database, which leads me to be concerned about security; if somebody got access to the database, they could just grab the key and secret. My question, then, is whether there are ways to make the secret more secure.

    -Eric

  2. #2
    SitePoint Addict Banana Man's Avatar
    Join Date
    Dec 2005
    Posts
    391
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    You can hash the secret before inserting it into your database. When you want to compare the users secret with yours, use the same hash algorithm to hash the users secret and compare this hash with the hash saved in your database.

    $hashed_secret = hash_hmac('sha512', $secret, 'randon string');

    You will need to use the same 'random string' every time. Use a rondom string of characters and symbols of a decent length of maybe 50 characters.

  3. #3
    SitePoint Evangelist
    Join Date
    Mar 2011
    Location
    Bellingham, WA
    Posts
    450
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    With the oAuth process, I don't actually see the secret that gets posted from the LMS (I get an oAuth signature which I have to verify). However, I can easily tweak your suggestion to make it work for me: I'll just store the "secret" in my DB, give the Consumer the hashed version, and then check a hashed version of my secret, where the "random string" is kept in a config file out of my public directory. Thank you for your suggestion.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •