Feature Request #4709

openssl_random_pseudo_bytes in Security::token

Added by Eugene Alright over 1 year ago. Updated over 1 year ago.

Status:ClosedStart date:02/26/2013
Priority:NormalDue date:
Assignee:Lorenzo Pisani% Done:

100%

Category:Core
Target version:3.3.1
Resolution:fixed Points:1

Description

Please add use of openssl_random_pseudo_bytes() in Security::token when it's available.
The reason is because sha1(uniqid(NULL, TRUE)) is not so secure for CSRF tokens. Read more: http://eschrade.com/page/generating-secure-cross-site-request-forgery-tokens-csrf/

Associated revisions

Revision a3c5df67
Added by Stijn van Tussenbroek over 1 year ago

Use openssl_random_pseudo_bytes to generate token Security class, if available. Fixed #4709.

Revision c308589b
Added by Lorenzo Pisani over 1 year ago

Merge pull request #354 from stidges/3.3/feature/4709-secure-csrf-token

refs #4709: openssl_random_pseudo_bytes in Security::token

History

#1 Updated by Lorenzo Pisani over 1 year ago

  • Status changed from New to Closed
  • Assignee set to Lorenzo Pisani
  • % Done changed from 0 to 100
  • Resolution set to fixed

Also available in: Atom PDF