0

I am generating tokens for users in PHP when they register. I am wondering if two users could ever get the same token... as this will break the system. Please let me know if this is suffiecient.

$token = md5(rand().time());

edit: i am now using a generate_uuid() function i found on another question. will this work?

function generate_uuid() {
    return sprintf( '%04x%04x-%04x-%04x-%04x-%04x%04x%04x',
        mt_rand( 0, 0xffff ), mt_rand( 0, 0xffff ),
        mt_rand( 0, 0xffff ),
        mt_rand( 0, 0x0C2f ) | 0x4000,
        mt_rand( 0, 0x3fff ) | 0x8000,
        mt_rand( 0, 0x2Aff ), mt_rand( 0, 0xffD3 ), mt_rand( 0, 0xff4B )
    );

}
Preston Cammarata
  • 143
  • 7
  • 3
    Of course it will. `md5` collisions are trivial, it's why it's part of the wikipedia article on md5 hashing over on https://en.wikipedia.org/wiki/MD5#Collision_vulnerabilities. Good luck. But as a piece of advice: use a uid/uuid library. That's what they're for =) – Mike 'Pomax' Kamermans Jan 09 '21 at 22:44
  • Why not use [a UUID](https://github.com/ramsey/uuid)? – ceejayoz Jan 09 '21 at 22:46
  • see https://stackoverflow.com/questions/1846202/php-how-to-generate-a-random-unique-alphanumeric-string-for-use-in-a-secret-l – Richard Chambers Jan 09 '21 at 22:50
  • 1
    Does this answer your question? [PHP: How to generate a random, unique, alphanumeric string for use in a secret link?](https://stackoverflow.com/questions/1846202/php-how-to-generate-a-random-unique-alphanumeric-string-for-use-in-a-secret-l) – Richard Chambers Jan 09 '21 at 22:51
  • i edited the post. can you guys check that out and determine if that will be unique every time?? – Preston Cammarata Jan 09 '21 at 23:02
  • Using that function you're generating a UUID from a set of random numbers. In theory, you could generate a set that you've used before, but the chance of this with UUIDs is vanishingly small. If you need to be absolutely certain that a generated UUID is unique in your system, check it and generate another one if necessary. Don't expect to need an extra code often. Or ever. – Tangentially Perpendicular Jan 10 '21 at 01:10

1 Answers1

2
$token = md5(rand().time());

Has a good chance of never repeating.

  • Time() does repeat within one second.
  • Time() repeats for an hour once a year if it is on daylight savings.
  • But rand() does not repeat for 2^30 steps.
  • MD5 does not increase the randomness, and may even decrease it.

mt_rand() is very good at "randomness", but that means that it can and will repeat -- at "random" times. Do not trust it for not repeating.

See also microtime(true); it is precise to the microsecond. But it still can lead to dups, especially if two different clients are using the same formula.

Simply use UUID functions. They have a lot of research and thought put into them. You are unnecessarily re-inventing the wheel. See this for why UUIDs mess with performance in a database and what to do about it.

Peter O.
  • 32,158
  • 14
  • 82
  • 96
Rick James
  • 135,179
  • 13
  • 127
  • 222