News Feed
Jobs Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Jordi Boggiano's Blog:
Unpredictable hashes for humans
May 10, 2010 @ 13:47:44

In a new post to his blog today Jordi Boggiano talks about a task that can trip up some developers when they're trying to secure parts of their site or just create one-time use tokens - making unpredictable hashes.

If you [override the default session handlers], unless you want to entrust PHP's core to do it, one thing you will have to take care of is generating unique session ids to send as a cookie to your users, allowing the session to persist. Other common use cases for such unique hashes is to generate CSRF tokens to insert in forms or URLs, and finally authentication tokens for email validation or such.

He talks about how we, as humans, aren't very good at figuring out true randomness and that hashing the information only adds to the problem. He mentions how some of the random functions in PHP aren't all that random and that there's a better way to really generate good values. He's come up with a solution (his "generateUniqueId" function) that tries to generate entropy from OpenSSL or from the COM extension or from the "/dev/urandom" on unix-based systems. It's then hashed and sent back out the other side for easy use.

0 comments voice your opinion now!
hash data unpredictable misconception algorithm


blog comments powered by Disqus

Similar Posts

Tim Koschuetzki's Blog: Composing Methods: Substitute Algorithmn

DevShed: Iterators in the Simplest Sense - Traversing Different Data Structures

PHPBuilder.com: Handling Hierarchical Data in MySQL and PHP

php-general Mailing List: A Sad PHP Poem

Daniel Krook\'s Blog: Published - Developing PHP Applications for IBM Data Servers


Community Events











Don't see your event here?
Let us know!


release framework introduction performance podcast hhvm database install example package symfony2 composer language application project facebook hack component unittest security

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework