Subversion
Written by: Lorna Jane Mitchell
Featured Refcardz: Top Refcardz:
  1. Git
  2. DNS
  3. Data Mining
  4. Spring Data
  5. Subversion
  1. Spring Data
  2. Subversion
  3. Spring Config.
  4. Spring Annotations
  5. Data Mining
150+ Refcardz Available · Get them all

Link Details

Previous | Next

Surprise Me!

Link 923597 thumbnail
User 355617 avatar

By piccoloprincipe
via paul-m-jones.com
Submitted: Feb 13 2013 / 14:18

For CSRF tokens, mt_rand() is ok-ish but openssl_random_pseudo_bytes() is a lot better
On the pages for rand() and uniqid(), as well as looking at the C code, they specifically state that these functions should not be used for generating secure tokens.  They tend to generate predictable values.  And the documentation for md5() states that it should not be used for password hashing.  Granted we’re not hashing passwords when creating a CSRF token, but with the tooling available shouldn’t we be using functions that are more cryptographically secure?
Vote up
Vote down
  • 2
  • 0
  • 101
  • 59
SaveShareSend Tags: ,

Add your comment


Html tags not supported. Reply is editable for 5 minutes. Use [code lang="java|ruby|sql|css|xml"][/code] to post code snippets.

Voters For This Link (2)



Voters Against This Link (0)