Using a fix $key and variable $data vs partially variable $key with fixed $data in PHP’s hash_hmac()

This question was originally asked in stack overflow, but it was suggested to ask it here as well..

  • not looking to improve on hash_hmac functionality. I’m rather interested in the $ uri in the examples below..

The theory is that typically we create signed URI’s like

$  superSecret = 'abc'; $  data = 'https://localhost/verify/{user-id}/{email}'; $  hash = hash_hmac('sha256', $  data, $  superSecret);  $  uri = $  data . '/?hash=' . $  hash; 

Then we can validate the signature by recreating a hash, and calling hash_equals(). If any of part of the data string changed, hash_equal() returns false.

What happens if we switch some parameters around. This time instead of hashing different data, we hash the same data every time but with different keys.

I.e.

$  superSecret = 'abc' . $  userId . $  email; $  data = 'https://localhost/verify'; $  hash = hash_hmac('sha256', $  data, $  superSecret);  $  uri  = $  data; 

The above are dumbed down generalized examples. But I’m more interested in, is the concept correct? Would using different keys to hash the same data be as secure as using different data hashed by the same key.

Keep in mind that the ‘abc’ of $ superSecret is never exposed. $ user-id and $ email are concatenated onto the end of $ superSecret

The original question for those interested https://stackoverflow.com/questions/60401068/is-using-a-variable-key-with-constant-data-as-secure-as-using-a-constant-key-wit?noredirect=1#comment106850148_60401068