Alternative for openssl_random_pseudo_bytes - generate secured unique tokens

Question

My server host had php version 5.2.17. I am using a random token and used openssl_random_pseudo_bytes in my function.

openssl_random_pseudo_bytes( $length);

Trying to run this code from Scott's answer.

It is running well on my localhost with higher php version. Other than upgrading my server php version. What is an alternative function for openssl_random_pseudo_bytes?

Update: Using mt_rand, rand or uniqid, how can I generate secure unique tokens? As of now, I am using this line of code:

$token = md5(uniqid(rand(), true));

$thetoken = $token.$user_id;

Thank you for any help!

You have to write your own routine, using something like `mt_rand()` see: http://www.php.net/manual/en/function.mt-rand.php A very simple routine will do, generating characters for the length you need. Tokens should not be affected by the warning that the function does not generate cryptographically secure values. — KIKO Software, Aug 11 '16 at 08:41
I tried mt_rand() and rand() but it is slow and i get error run limit. — c.k, Aug 11 '16 at 09:15
That is not what I read online: http://golearnphp.com/php-rand-vs-mt_rand-and-openssl_random_pseudo_bytes/ — KIKO Software, Aug 11 '16 at 10:12

score 2 · Accepted Answer · edited May 23 '17 at 12:33

I am using 5.6 but have also been looking for ways to create secure and unique tokens as I am unable to get the openssl_random_pseudo_bytes function to work. I have run across paragonie's random_compat at github which should allow you to use random_bytes() and random_int() (both only available with PHP7). They do say it should be able to be used with older 5.x versions of PHP in theory, though they do suggest updating to a current stable version of php. https://github.com/paragonie/random_compat

Here is a link to another stack overflow answer that suggests using random_bytes() as $token = bin2hex(random_bytes($length));

best practice to generate random token for forgot password

And also the link i found suggesting paragonie's random_compat https://akrabat.com/random_bytes-in-php-5-6-and-5-5/ https://paragonie.com/blog/2015/07/how-safely-generate-random-strings-and-integers-in-php

score 0 · Answer 2 · answered Nov 05 '16 at 08:52

0

the Alternative way for openssl_random_pseudo_bytes(10) is something like this decbin(rand(0,1024)) in php 5.X

answered Nov 05 '16 at 08:52

Ali Ghazi

45
7

Is not even similar – Ivijan Stefan Stipić Nov 14 '17 at 06:57
`rand` is not an alternative to the OpenSSL library's CSPRNG function.`rand` is not a CSPRNG, it is not sufficiently random to use in a security context. – StampyCode Jul 03 '18 at 12:54

Alternative for openssl_random_pseudo_bytes - generate secured unique tokens

2 Answers2