mt_rand() is not secure from a security point of view and predictable. Let's use openssl_random_pseudo_bytes() instead.
Before: 26 bits entropy After: 72 bits entropy
This commit is contained in:
parent
dc66e94ee3
commit
bd804b74c4
|
@ -440,7 +440,9 @@ class OC_Util {
|
|||
*/
|
||||
public static function callRegister() {
|
||||
// generate a random token.
|
||||
$token=mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000);
|
||||
$bytes = openssl_random_pseudo_bytes(10, $cstrong);
|
||||
$hex = bin2hex($bytes);
|
||||
$token = $hex;
|
||||
|
||||
// store the token together with a timestamp in the session.
|
||||
$_SESSION['requesttoken-'.$token]=time();
|
||||
|
|
Loading…
Reference in New Issue