PHPackages softsmart/simple-nonce - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. softsmart/simple-nonce ActiveLibrary[Security](/categories/security) softsmart/simple-nonce ====================== Simple nonce implementation 2.1.1(6y ago)062[1 issues](https://github.com/jsmcm/simple-nonce/issues)GPL-3.0-onlyPHPPHP >=5.4.0CI failing Since Jun 25Pushed 5y ago1 watchersCompare [ Source](https://github.com/jsmcm/simple-nonce)[ Packagist](https://packagist.org/packages/softsmart/simple-nonce)[ Docs](https://softsmart.co.za/2017/01/04/php-create-installer-composer/)[ RSS](/packages/softsmart-simple-nonce/feed)WikiDiscussions master Synced 3d ago READMEChangelogDependencies (1)Versions (4)Used By (0) SimpleNonce =========== [](#simplenonce) [![Software License](https://camo.githubusercontent.com/4c3918c0f114f627fea436b5a61f0fd10d33512303153785ab23aa5dc49af214/68747470733a2f2f696d672e736869656c64732e696f2f6175722f6c6963656e73652f79616f7572742e7376673f7374796c653d666c61742d737175617265)](LICENSE.md) A simple nonce implementation in PHP This is a very simple nonce implementation. Uses PSR-2 and PSR-4 Structure --------- [](#structure) If any of the following are applicable to your project, then the directory structure should follow industry best practices by being named the following. ``` src/ tests/ vendor/ ``` Install ------- [](#install) Via Composer ``` $ composer require softsmart/simple-nonce ``` Usage ----- [](#usage) ``` // Generate Nonce $UserID = 1; // This is the user account we're about to delete $action = "deleteUser"; $meta = [$UserID]; // Optionally set configuration at runtime, else use config.inc.php $nonceConfig = ["salt"=>"your-salt", "ttl"=>3600]; $nonceEngine = new \SoftSmart\Utilities\SimpleNonce($nonceConfig); $nonceValues = $nonceEngine->generateNonce($action, $meta); header("Location: ./deleteUser.php?userID=".$userID."&nonce=".$nonceValues["nonce"]."&timeStamp=".$nonceValues["timeStamp"]); // Verify Nonce $UserID = 1; // This is the user account we're about to delete $action = "deleteUser"; $meta = [$UserID]; $result = SimpleNonce::verifyNonce($nonceValues["nonce"], $action, $nonceValues["timeStamp"], $meta); if( ! $Result ) { echo "Nonce failed"; exit(); } echo "Nonce passed, continue...."; ``` Testing ------- [](#testing) ``` $ phpcs -c phpunit.xml ``` Contributing ------------ [](#contributing) Please see [CONTRIBUTING](CONTRIBUTING.md) and [CODE\_OF\_CONDUCT](CODE_OF_CONDUCT.md) for details. Credits ------- [](#credits) - [John McMurray](https://github.com/jsmcm) - [All Contributors](../../contributors) License ------- [](#license) GNU GENERAL PUBLIC LICENSE. Please see [License File](LICENSE.md) for more information. Questions --------- [](#questions) Q: Why do we need to pass the timestamp? A: The way most nonces are implemented is that when they are created the nonce and the time out is stored in a file system or in a db, redis, etc. When the nonce is used the validity of the nonce and its time out is read from a DB. This nonce system does not store nonces in a DB and does not store the unused nonces in the file system. The reason we don't do that is because on busy sites that could cause quite a lot of overhead. For instance, think about a busy store where you want to list many products on a page to an admin user. Each item in the list might have an edit button as well as a delete button. Each of these buttons require its own nonce. If we list 50 items per page, that's 100 nonces we're writing to a db which may never be used. Our system rather works out the nonce on generating it and then reworks it out on verifying it, based on the action, timestamp and meta data. Because we're not prestoring, we need to pass the timestamp! Q: If we're passing the time stamp as plain text with a link, what prevents a bad user from altering the time stamp in the URL? A: The generateNonce function uses the time stamp as part of the nonce field. So even though a bad user can see the time stamp they can't alter it. If they try to alter it the verifyNonce function will fail. Q: If it doesn't write to a DB how does it know that the nonce has only been used once? A: We do write a text file. The text file is named with the nonce key. When a nonce is being verified we check that that file does not exist. If it does exist then the nonce has already been used and the nonce fails. ### Health Score 27 — LowBetter than 49% of packages Maintenance20 Infrequent updates — may be unmaintained Popularity8 Limited adoption so far Community9 Small or concentrated contributor base Maturity60 Established project with proven stability Bus Factor1 Top contributor holds 93.8% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~274 days Total 3 Last Release 2332d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/7df3cda7ce9bbd09ca5909d57dd20b1906907b7ac8eced4ba44e47b0cf13661a?d=identicon)[softsmart](/maintainers/softsmart) --- Top Contributors [![jsmcm](https://avatars.githubusercontent.com/u/15969075?v=4)](https://github.com/jsmcm "jsmcm (15 commits)")[![Typel](https://avatars.githubusercontent.com/u/1294478?v=4)](https://github.com/Typel "Typel (1 commits)") --- Tags securitynonce ### Code Quality TestsPHPUnit ### Embed Badge ![Health badge](/badges/softsmart-simple-nonce/health.svg) ``` [![Health](https://phpackages.com/badges/softsmart-simple-nonce/health.svg)](https://phpackages.com/packages/softsmart-simple-nonce) ``` ### Alternatives [phpseclib/phpseclib PHP Secure Communications Library - Pure-PHP implementations of RSA, AES, SSH2, SFTP, X.509 etc. 5.6k434.8M1.3k](/packages/phpseclib-phpseclib)[defuse/php-encryption Secure PHP Encryption Library 3.9k162.4M214](/packages/defuse-php-encryption)[mews/purifier Laravel 5/6/7/8/9/10 HtmlPurifier Package 2.0k16.7M113](/packages/mews-purifier)[robrichards/xmlseclibs A PHP library for XML Security 41278.1M118](/packages/robrichards-xmlseclibs)[voku/anti-xss anti xss-library 72317.1M77](/packages/voku-anti-xss)[spatie/laravel-csp Add CSP headers to the responses of a Laravel app 8519.6M19](/packages/spatie-laravel-csp) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)