I was programming my garage door opener the other day and for some reason I started wondering why we don't use "rolling codes" for web security..

The closest most common thing would be "nonce" which in the most generic sense is hash(timestamp + secret), or in some cases to protect middle man attacks, hash(timestamp + secret + parameters)

If all your doing is a simple hash(timestamp + secret) it is very possible for someone to intercept your request, make changes to the parameters and resubmit if its done within what ever window of opportunity is set timewise.

By using hash(timestamp + secret + parameters) like Amazon for example you make this type of attack very unlikely.

So do we need "Rolling codes" in the web world? Well no we don't really. A key fob has no input device, no way to program in any "secret code". Rolling codes provide an easy electronic way to do pretty much the same thing hash() checks do.

Besides I am not that great at cryptography but I imagine programming something that could duplicate this functionality across all the various web platforms might be used on wouldn't be fun to say the least.

The one thing garage door openers do that we don't tend to skip in the web world is keep track of what keys have been used and ignore future requests from them.

By ignoring requests from hashes that have already been presented you avoid accepting requests from the program that resent a request because its connection is poor, or the hacker who just captured a request and is trying to send it back modified.

How can you make use of this idea in the real world? Every time you verify a hash shove it into memcache with an expire time that matches your timestamp window. By checking memcache for that hash every request you can ensure your not getting a duplicate request or hack attempt.