Here is my scenario...
Users client application makes a request to a web service for access.
Webservice responds with a "key" that is only valid for X seconds/minutes (time could be variable or at least definable in my web service)
Users client application uses the key immediately to make a further request.
Web service checks that the key is still valid and if it is proceeds with the request, otherwise responds accordingly.
I need to do this without actually storing the key in the database so I'm guessing that the hash used in generating the key (with a salt) should be based on time somehow.
I guess what I'm really asking is what is the best approach to do this.
You won't get around storing the key somewhere, the nature of a hash is that you can't get the information it was generated out of. If you want to get the information back, use an encryption algorithm instead.
we used a 3rd party tool for that. It's called Crypkey. Very configurable but not cheap.
In the end we went with the following....
A salt known to the application The users username The current date/time + 5 seconds
combine the above in a specific order as a string and MD5 hash it.
We have a special URL that they can hit with the hash as a query string parameter.
We compare the hash to 5 hashes generated at the time of the request (one for the current second and one for each of the previous 4 seconds). If the hash on the QS parameter matches one of these 5 hashes generated then we accept the request and perform the relevant actions.
We have a method on our API that returns a URL with the hash already applied. API Clients can then send their request to the URL provided immediately. Any requests made more than 5 seconds after the URL was retrieved are rejected.
So we have a key that is only valid for 5 seconds from the time it was generated.
This allows us to provide users the ability to "auto-login" their site from an API client. The client requests the login url (which comes with the hash) and then immediately direct the users web browser to that URL. The URL handles the request, checking the hash and if valid setting a login cookie and redirecting them to their admin page.
Simple, effective and, since all our API requests are over SSL, secure.