-1

I read this question, which now is somewhat old. Based on that, is this a viable way to create a random token today? I also found this, where it seems the same approach is used.

private byte[] GetRandomBytes(int size)
{
    using (var randomNumberGenerator = RandomNumberGenerator.Create())
    {
        var randomBytes = new byte[size];
        randomNumberGenerator.GetBytes(randomBytes);

        return randomBytes;
    }
}

...

var randomBytes = GetRandomBytes(size);
var token = Convert.ToBase64String(randomBytes);

I intend to use the tokens as one-time tokens in URLs for multiple purposes like double opt-in and login. The lifetime of the tokens depends on the usage, but for e.g. login it's short, e.g. 5 minutes. There aren't any passwords involved, only the "magic link" mailed to the users e-mail.

The solution protected doesn't need the most bleeding edge protection, but I want it to be relativley difficult to guess a token and get in. If it is difficult to guess the token, and since I expire the tokens after n amount of time, is this a viable approach? And how difficult will it be to guess a token if someone already has a predefined list of Base64 encoded numbers?

ptf
  • 485
  • 5
  • 14

1 Answers1

0
  public string generateCipher()
        {
            Random random = new Random();
            var rand = new Random();
            var bytes = new byte[32];
            rand.NextBytes(bytes);

            string symPass = 
        Convert.ToBase64String(bytes).Substring(1,32);
            var timestamp = DateTime.Now.ToFileTime();
            var resd= timestamp / 100;

            string cipher = symPass+timestamp/100;


            return cipher ;
        }
Natanael Sousa Neto
  • 1