Feature Request #4709

openssl_random_pseudo_bytes in Security::token

Added by Eugene Alright about 2 years ago. Updated almost 2 years ago.

Status:ClosedStart date:02/26/2013
Priority:NormalDue date:
Assignee:Lorenzo Pisani% Done:


Target version:3.3.1
Resolution:fixed Points:1


Please add use of openssl_random_pseudo_bytes() in Security::token when it's available.
The reason is because sha1(uniqid(NULL, TRUE)) is not so secure for CSRF tokens. Read more: http://eschrade.com/page/generating-secure-cross-site-request-forgery-tokens-csrf/

Associated revisions

Revision a3c5df67
Added by Stijn van Tussenbroek almost 2 years ago

Use openssl_random_pseudo_bytes to generate token Security class, if available. Fixed #4709.

Revision c308589b
Added by Lorenzo Pisani almost 2 years ago

Merge pull request #354 from stidges/3.3/feature/4709-secure-csrf-token

refs #4709: openssl_random_pseudo_bytes in Security::token


#1 Updated by Lorenzo Pisani almost 2 years ago

  • Status changed from New to Closed
  • Assignee set to Lorenzo Pisani
  • % Done changed from 0 to 100
  • Resolution set to fixed

Also available in: Atom PDF