PHPackages rollerworks/split-token - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. rollerworks/split-token ActiveLibrary[Authentication & Authorization](/categories/authentication) rollerworks/split-token ======================= Token-Based Authentication Protocol without Side-Channels v0.1.2(4y ago)43791MPL-2.0PHPPHP >=7.2CI failing Since Jan 26Pushed 2mo ago1 watchersCompare [ Source](https://github.com/rollerworks/split-token)[ Packagist](https://packagist.org/packages/rollerworks/split-token)[ Docs](https://rollerworks.github.io)[ RSS](/packages/rollerworks-split-token/feed)WikiDiscussions main Synced 1w ago READMEChangelog (6)Dependencies (6)Versions (7)Used By (0) Rollerworks SplitToken Component ================================ [](#rollerworks-splittoken-component) SplitToken provides a Token-Based Authentication Protocol without Side-Channels. This technique is based of [Split Tokens: Token-Based Authentication Protocols without Side-Channels](https://paragonie.com/blog/2017/02/split-tokens-token-based-authentication-protocols-without-side-channels). Which was first proposed by Paragon Initiative Enterprises. SplitToken-Based Authentication is best used for password resetting or one-time single-logon. While possible, this technique is not recommended as a replacement for OAuth or Json Web Tokens. Introduction ------------ [](#introduction) Unlike *traditional* Token-Based Authentication Protocols a SplitToken consists of two parts: The **selector** (used in the query) and the **verifier**(not used in the query). - The selector is a 24 bytes fixed-length random string, which used as an identifier. You can safely create an unique index for field. - The verifier works as a password and is only provided to the user, the database only holds a salted (cryptographic) hash of the verifier. The length of this value is heavily dependent on the used hashing algorithm and should not be hardcoded. The full token is provided to the user or recipient and functions as a combined identifier (selector) and password (verifier). **Caution: You NEVER store the full token as-is!** You only store the selector, and a (cryptographic) hash of the verifier. Installation ------------ [](#installation) To install this package, add `rollerworks/split-token` to your composer.json: ``` $ php composer.phar require rollerworks/split-token ``` Now, \[Composer\]\[composer\] will automatically download all required files, and install them for you. Requirements ------------ [](#requirements) PHP 8.1 with the sodium extension enabled (default since PHP 8). Basic Usage ----------- [](#basic-usage) ```