Closed txemapamundi9l closed 7 years ago
Setting suhosin.rand.reseed_every_request = On
is certainly a reasonable setting for the paranoid. However, instead of the normal 32 or 31 bit mt_srand seed, Suhosin is seeding the the random number generator with a 256 bit value anyway. As a result entropy based attacks on mt_rand() are not applicable or at least not practical anymore.
To keep it short, reseeding provides the best seeding entropy, but drains the system's entropy pool. Not reseeding with every request should be ok for most applications using Suhosin.
In Drupal, the following is executed for every request:
However, Suhosin disables
mt_srand()
by default. To ensure multiple requests use different seeds, I have set:If it is correct that this setting should be used for Drupal, maybe the solution is just to document it in the Drupal documentation? Or maybe Suhosin should guarantee different seeds per request by default?