Drupal hash salt / private key is changing?

Question

I've created a token that I store in database, here is how I create my token :

$token = drupal_hmac_base64($pid . " " . $order_id . " " . $solde, drupal_get_private_key() . drupal_get_hash_salt());

And then when a user go to my url that looks like that :

https://mycustomwebsite.com/order_id/token

With the token and another value : order_id, I get the line in my database with the order_id and then I create a new token :

$new_token = drupal_hmac_base64($pid . " " . $order->order_id . " " . $solde, drupal_get_private_key() . drupal_get_hash_salt());

I compare these two tokens just for a verification to grant the access or not.

This works fine but couple days after when I try to go on a link the access doesn't work anymore. When I look at the new_token generated for verification it's not the same ! But the value used to make this token (pid, order_id and solde) are the same, so here is why I ask my question.

Does the drupal_get_hash_salt() or drupal_get_private_key() can return different values in the time ?

Answer 1

drupal_get_hash_salt() is either:

• a manually-entered value stored in your settings.php
• ...or (by default) a hash of your serialized-DB config

drupal_get_private_key() is either:

• a stored variable called drupal_private_key if it's set
• ...or (by default) randomly generated bytes (that are saved to drupal_private_key after generation)

So, either one can change their value if:

• You changed your DB config (if $drupal_hash_salt isn't manually set in settings.php).
• You've lost/removed drupal_private_key from the variable DB table.