Tornado Signed Value Implementation in PHP

gistfile1.php

<?php

/* Python Version: https://gist.github.com/3738771 */

function _time_independent_equals($a, $b){
	if (strlen($a) !== strlen($b)){
		return;
	}
	$result = 0;
	for($i=0; $i<strlen($a); $i++){
		$result |= ord($a[$i]) ^ ord($b[$i]);
	}
	return $result === 0;
}

function create_signed_value($secret, $name, $value){
	$timestamp = time();
	$value = base64_encode($value);
	$signature = _create_signature($secret, array($name, $value, $timestamp));
	return implode("|", array($value, $timestamp, $signature));
}

function decode_signed_value($secret, $name, $value, $max_age_days=31){
	if (!$value){
		return;
	}
	$parts = explode("|", $value);
	if (count($parts) !== 3){
		return;
	}
	$signature = _create_signature($secret, array($name, $parts[0], $parts[1]));
	if (!_time_independent_equals($parts[2], $signature)){
		error_log("Invalid signature $value");
		return;
	}
	
	$timestamp = (int)$parts[1];
	if ($timestamp < time() - $max_age_days * 86400){
		// Expired
		return;
	}
	if ($timestamp > time() + 31 * 86400){
		error_log("Cookie timestamp in future; possible tampering $value");
		return;
	}
	if ($parts[1][0] === "0"){
		// Tampered
		return;
	}
	return base64_decode($parts[0]);
}

function _create_signature($secret, $parts=array()){
	return hash_hmac("sha1", implode("", $parts), $secret);
}
?>