CSRF token is not securely random

joepie91 / cphp

An intuitive PHP framework that can be learned in 60 minutes. (UNMAINTAINED)

Do What The F*ck You Want To Public License

8 stars 3 forks source link

CSRF token is not securely random #4

Open alipha opened 8 years ago

alipha commented 8 years ago

You create CSRF tokens using random_string which uses mt_rand and this is not secure--the output of mt_rand can be predicted with enough input bytes. Instead of:

https://github.com/joepie91/cphp/blob/feature/formhandler/include.csrf.php#L20

Use:

$key = bin2hex(openssl_random_pseudo_bytes(16)); $token = bin2hex(openssl_random_pseudo_bytes(16));

paragonie-scott commented 8 years ago

Pretty sure this code isn't maintained anymore.