I want to use hmac to authenticate a user by email The hmac will be stored in the database along with the userid.
- Do I also need to store the
$payload
for decryption as well?
Am I doing it right?
I don't get any string in the url querystring?
This is my testpage with the following
$secret = "dfjhglkhniuh65645";
$payload= "234|somedata";
$hmac = hash_hmac("sha2", $payload, $secret, true);
//$hmac = base64_encode($hmac);
if (! function_exists("hash_hmac")) {
echo "hmac function does not exist";
}
$uri="test.php?hash=$hmac";
if(!isset($_GET['hash'])){
header('location: ' . $uri);
exit();
}
echo "testpage<br><br>";
if(isset($_GET['hash']) && !empty($_GET['hash']))
{
$sig = $_GET['hash'];
$expected_sig = hash_hmac("sha2", $payload, $secret, true);
if($expected_sig === $sig)echo "verification succeeded";
}