The hash is generated by the client using the client specific secret key using the hash_hmac inbuilt method. This hashed value is included in the request header. Request which include this hash value also have a time stamp field set.
The server generates it’s own hash based on the request content and the client specific key( the client specific details are known to server from the header).
The hash generated by the server is matched to the hash received from the client. Both need to same for authorization success.
The received hash is stored in the Redis. We set a TTL equal of 300 seconds.
The server also uses the timestamp to check that the request is not repeated in last 5 minutes based on the based on the Redis Key and the timestamp in request.
If the timestamp sent is less than 300 secs old the server discards the request.
If the hacker tries to change this timestamp for an old request to repeat it then the received hash will not be same.
This version of HMAC which also prevents Replay Attacks as the received hash is stored for 5 mins. So obviously the same request can’t be repeated within 5 mins and that’s the