Default Suhosin settings cause security regression with Drupal?

[txemapamundi9l]

In Drupal, the following is executed for every request:

  // Ensure mt_rand is reseeded, to prevent random values from one page load
  // being exploited to predict random values in subsequent page loads.
  $seed = unpack("L", drupal_random_bytes(4));
  mt_srand($seed[1]);

However, Suhosin disables mt_srand() by default. To ensure multiple requests use different seeds, I have set:

suhosin.rand.reseed_every_request = On

If it is correct that this setting should be used for Drupal, maybe the solution is just to document it in the Drupal documentation? Or maybe Suhosin should guarantee different seeds per request by default?

[bef]

Setting suhosin.rand.reseed_every_request = On is certainly a reasonable setting for the paranoid. However, instead of the normal 32 or 31 bit mt_srand seed, Suhosin is seeding the the random number generator with a 256 bit value anyway. As a result entropy based attacks on mt_rand() are not applicable or at least not practical anymore.

To keep it short, reseeding provides the best seeding entropy, but drains the system's entropy pool. Not reseeding with every request should be ok for most applications using Suhosin.