Use openssl_random_pseudo_bytes to generate hash.

ivan-novakov / php-openid-connect-client

OpenID Connect Client Library

55 stars 21 forks source link

Use openssl_random_pseudo_bytes to generate hash. #8

Closed tekezo closed 9 years ago

tekezo commented 9 years ago

The current 'state' hash can be inferred. We should use openssl_random_pseudo_bytes in order to use secure hash.

ivan-novakov commented 9 years ago

Tekezo,

thank you for your contributions. I modified StateFactory to be able to accept a hash optionally through the constructor. If no value has been passed, the openssl_random_pseudo_bytes() function is used for implicit hash generation. And I threw out the usage of ZF's Hash class completely.

Check this out: https://github.com/ivan-novakov/php-openid-connect-client/blob/9e3bb13d8ffade8204358c34a20d9fc589cae3df/src/InoOicClient/Oic/Authorization/State/StateFactory.php

tekezo commented 9 years ago

Thank you for excellent modification!