Using a time-based, rotating hash or string for security

Question

In a CMS app I occasionally need to open an iframe of another domain. At the moment I am setting the URL for that iframe to something very obscure. Like http://domain.com/if

Answer 1

You shouldn't use plain MD5 that; MD5 is not designed for ensuring message authenticity. Instead you can just give the timestamp publicly, alongside with other information (message), base64 encoded, so that it does not contain the ':' character. Then you can calculate the HMAC code of the message for example with

$hmac = hash_hmac("md5", $message, $secret)
$signed_message = $message . ":" . $hmac

On the other end you can then check this signature, by first splitting with ":", getting $message and $hmac, then you can check authenticity with

$hmac == hash_hmac("md5", $message, $secret)

If codes match, then check if the timestamp in the $message is still within the limits.