Hide, best as I can, an encryption password from code viewers

I realize that I will eventually need zend to be able to do this but I know there are ways to hide it "good enough" for a foreseable future.

What I have is a system setup to be able to use one website's (HOME) user system across many different websites (AWAY)  by basically a 4 step process...

1. Ask HOME for the login auth described in step 3
2. HOME checks if the user is logged in at HOME, if not asks user to type login details and login
3. Sends username, userid, and time of logging in to the originating website with a hash of those entries with the special encrypting password to be sure that the login is valid and legal from HOME.
4. AWAY stores all of that in a cookie to stay logged in.

function makeit($timecheck) {
        $nerderg = "firstportionofpassforhash";
        $nerdarga = "secondportionofpassforhash";
        return md5($this->user.$nerderg.$timecheck.$nerdarga.$this->username);

That is the function that creates the hash for sending in step 3.

What I need is to be able to prevent people from finding "$nerdarg" and "$nerdarga" in my php code when they view it. The people who I will be sending this source are from a 1-10 level of trust, 10 being the best: 6.

I was thinking about masking base64_decode() with another name and adding my own little encryption/decryption scheme to make it that extra step harder. Then moving it all around in a bunch of drawn out step's across the code.

Not very practical so I was wondering what any of you think would be the best alternative to my option and zend / another pay encryptor.

I would give this a 500 point but i'm new here :/
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

i dont understand how they will be able to see the password?  first they have to know the password it wont be on the site???

then if they cant see the encryption because it wont be in the code it will be in sessions.. (i would use sessions not cookies!!)

really need more info?? dont understand what your trying to do? are you using a Database to store passwords?
ThePCNerdAuthor Commented:
Hmm everyone becomes confused on this, I am not talking about users/clients period. I am talking about me copying my code putting it on another person i barely know's server and them going in ftp downloading the file and looking at the password used within the encryption to thus make thier own fake key to login as anybody at any of the websites using my technology.
Well,  you could store the passwords at a trusted server (in eg. a database) and upon login authenticate clients against that, rather than locally.

However, if you store files at an untrusted location, nobody prevents the untrusted people from simply modifying your PHP page to bypass the authentication itself, right?

Even major software publishers, like Microsoft, who do distribute their close-source and key-coded, get ripped off by serial number generators and suchlike. So, there is no 100% cure, even compiling your software.

Except, perhaps, you can store not only authentication, but some key parts of your application at a trusted site - so that some processing is done at your place, and even if people copy your software, they can't do anything without having a proper auth with you.

You should look for the possibility of making breaking the authentication not worth it. Ie. the cost/time on breaking should exceed the product price.
Cloud Class® Course: SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

ThePCNerdAuthor Commented:
Well each website has it's own auth verification so the corrupted website owner could only fake login on his site if he were to go around it.

What I need is to hide the password used in the hash of data so that whoever gets my code cant fake a cookie for any of the domains that use the login system.
The main question is whether anyone who gets the code, can change it for the running website.

If not, then why someting as simple shouldn't work:

make an additional MD5 hash, and write in the PHP code the resulting hash;

$pass_hash = "nuiasdhu1273y23bki"; // the resulting hash, not the password is shown here.

if ( md5($user_sent_password) == $pass_hash)
   // good user
ThePCNerdAuthor Commented:
This is not a user password.

Ok you all understand how a file hash works, it makes sure that the data you have is the data that is real.

Well I have that for all remote login's, that way all the remote sites dont have to ask for the user database or ask the main site to check the login, I simply store 3 cookies at the remote site (user, username, and passhash)

The passhash ensures nobody changes the userid to another person so they can't fake the login.

And so  creating thier own new hash can be more difficult, i add two password phrases within the hash which i then later confirm at the remote website whenever a function needs to know if the user is logged in.

If you read my first post, you should of undestood this and that I wasn't talking about a userpassword. Please don't post unless you've read it all, you degrade the community that way.
ThePCNerdAuthor Commented:
Instead of trying giving my clients the source code, I decided to use an include().

The code is executed locally in a remote include so my source can never be leaked.

The only down side is that your website might go down and that means all websites using your program will too.
Question answered by asker or dialog valuable.
Closed, 130 points refunded.
ee_ai_construct (replacement part #xm34)
Community Support Admin

Experts Exchange Solution brought to you by ConnectWise

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.