Use of insecure random number generation function rand()

[hannob]

The code uses the function rand() in HTTP/Request2/Adapter/Socket.php:

            $challenge['cnonce'] = 'Req2.' . rand();

This function does not produce secure random numbers, and it might be predictable in certain situations. It would therefore be better to avoid it.

One can get practically the same behavior using PHP's random_int. However, in this case, according to the RFC the cnonce value can contain any base64 characters. So maybe just use something like base64enc(random_bytes(15)). (The random_bytes() function generates cryptographically secure random numbers, usually that's wired to the operating system's random number generator.)

[sad-spirit]

Dunno whether it makes sense to fix Digest authentication at this point. Using that essentially requires storing unencrypted passwords, which is a lot more insecure than using a bad random number generator.