How can I generate a time-limited key or password without saving data

Question

How can I generate a time-limited key or password without saving data

Here is my scenario ...

The user client application makes a request to the web service for access.
The webservice responds with a “key”, which is valid only for X seconds / minutes (the time can be variable or at least defined in my web service)
The user client application immediately uses the key for subsequent request.
The web service verifies that the key is still valid, and if it is executed with the request, otherwise it responds accordingly.

I need to do this without actually storing the key in the database, so I assume that the hash used to generate the key (with salt) should somehow be based on time.

I guess I'm really asking what is the best approach for this.

Language: VB.Net

+1

security authentication .net passwords otp

Hads Apr 3 '11 at 0:41

source share

3 answers

- , , , . , .

+1

Femaref 03 . '11 0:45

we used a third-party tool for this. This is called Crypkey. Very customizable but not cheap.

0

Dan Apr 3 '11 at 0:46

source share

Hades · Accepted Answer · 2012-02-11T10:52:31+0000

In the end, we went with the following ....

Salt known in the application Username Current date / time + 5 seconds

combine the above in a specific order as a string and an MD5 hash.

We have a special URL that can be used with a hash as a query string parameter.

We compare the hash with 5 hashes generated during the request (one for the current second and one for each of the previous 4 seconds). If the hash in the QS parameter matches one of these 5 hashes, then we accept the request and perform the appropriate actions.

API, URL- . API URL . , 5 URL-, .

, , 5 .

" " API. URL- ( ), - URL-. URL- , , , cookie .

, , API SSL, .

How can I generate a time-limited key or password without saving data

More articles: