1

I am using randomly generated numbers as session variables to identify the sessions in a PHP application. To make further security proof what ways should I follow?

Gilles 'SO- stop being evil'
  • 51,955
  • 14
  • 122
  • 182
Jayanta Kumar Nath
  • 19
  • 1
  • 3
  • Well, I guess that you should just try to be sure that your random numbers are not predictable in any way. Meaning, you should not depend on obvious parameter such as date, time or know parameters. – perror Nov 12 '13 at 09:14
  • I used mt_rand(). Whether its better to encrypt it. – Jayanta Kumar Nath Nov 12 '13 at 09:29
  • 1
    This is really not safe, look at this question on StackOverflow. If you are under Linux, try to use /dev/urandom (a better source of randomness than mt_rand()). – perror Nov 12 '13 at 09:39

1 Answers1

3

The best way to generate random tokens for security purposes in PHP is using openssl_random_pseudo_bytes() to obtain some random bytes, and then bin2hex to make them printable.

$token = bin2hex(openssl_random_pseudo_bytes(16));

You can safely use $token for your session identifier, CSRF tokens, etc.

OtherDevOpsGene
  • 1,475
  • 12
  • 12
Adi
  • 44,095
  • 16
  • 138
  • 170