mt_rand() is not secure from a security point of view and predictable. Let's use openssl_random_pseudo_bytes() instead.
Before: 26 bits entropy After: 72 bits entropy
This commit is contained in:
parent
dc66e94ee3
commit
bd804b74c4
|
@ -440,7 +440,9 @@ class OC_Util {
|
||||||
*/
|
*/
|
||||||
public static function callRegister() {
|
public static function callRegister() {
|
||||||
// generate a random token.
|
// generate a random token.
|
||||||
$token=mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000);
|
$bytes = openssl_random_pseudo_bytes(10, $cstrong);
|
||||||
|
$hex = bin2hex($bytes);
|
||||||
|
$token = $hex;
|
||||||
|
|
||||||
// store the token together with a timestamp in the session.
|
// store the token together with a timestamp in the session.
|
||||||
$_SESSION['requesttoken-'.$token]=time();
|
$_SESSION['requesttoken-'.$token]=time();
|
||||||
|
|
Loading…
Reference in New Issue