Skip to main content

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

15
  • 1
    No sorry, haven't had my coffee, makes no difference. Commented Apr 1, 2014 at 1:07
  • 6
    My concern about using this approach is that the clones can reverse engineer my app and see what I'd be doing here. If the clones also used signature = md5( md5(url + data) + MY_RANDOM_KEY), as seen in my app, then how would this make it secure? Also, I thought that MD5 has been outdated for a while now. Commented Apr 1, 2014 at 1:09
  • 1
    In a sense, you are correct. But in the same sense, they could also do the same with whatever else you do. Use whatever hashing you want. If MY_RANDOM_KEY is sufficiently long, and you're also taking a hash of hash (nested md5 calls), you'll be fine. If your MY_RANDOM_KEY is compromised, then yes you have an issue. But that's auth in general. Unless you're carrying banking data or something like that, this will be just fine. Commented Apr 1, 2014 at 1:33
  • 1
    There's also methods of ensuring that it's different one second from the next. You could append the TIME_SINCE_EPOCH to MY_RANDOM_TOKEN and then server side make the all the valid signature_should_be for the past and next 5 seconds (to account for various latency, etc). But for what you're probably trying to secure, that's overkill. Commented Apr 1, 2014 at 1:40
  • 1
    I see what you're saying @TommyCrush, but where would I store MY_RANDOM_TOKEN? If I'm storing it client-side, wouldn't it be easy to spot if they just decompile my code? Commented Apr 1, 2014 at 1:48