Correct csrf and random

OWASP / phpsec

OWASP PHP Security Project - THIS PROJECT IS INACTIVE AND MAY CONTAIN SECURITY FLAWS

197 stars 103 forks source link

Correct csrf and random #107

Closed asgrim closed 8 years ago

asgrim commented 8 years ago

random_bytes and random_int should be used for randomness.

In order of preference:

Use libsodium if available.

fread() /dev/urandom if available (never on Windows)

mcrypt_create_iv($bytes, MCRYPT_CREATE_IV)

COM('CAPICOM.Utilities.1')->GetRandom()

openssl_random_pseudo_bytes() (absolute last resort)