On Wed, Jun 22, 2011 at 09:36:42PM +0200, Florian Pritz wrote:
Note: As of PHP 4.2.0, there is no need to seed the random number generator with srand() or mt_srand() as this is now done automatically.
Signed-off-by: Florian Pritz <bluewind@xinu.at> --- web/lib/aur.inc.php | 12 +----------- 1 files changed, 1 insertions(+), 11 deletions(-)
diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php index 3250133..382578c 100644 --- a/web/lib/aur.inc.php +++ b/web/lib/aur.inc.php @@ -81,25 +81,15 @@ function valid_email($addy) { return ( ! preg_match("/^([a-z0-9\+_\-]+)(\.[a-z0-9\+_\-]+)*@([a-z0-9\-]+\.)+[a-z]{2,6}$/ix", $addy)) ? FALSE : TRUE; }
-# a new seed value for mt_srand() -# -function make_seed() { - list($usec, $sec) = explode(' ', microtime()); - return (float) $sec + ((float) $usec * 10000); -} - # generate a (hopefully) unique session id # function new_sid() { - mt_srand(make_seed()); $ts = time(); $pid = getmypid();
- $rand_num = mt_rand(); - mt_srand(make_seed()); $rand_str = substr(md5(mt_rand()),2, 20);
- $id = $rand_str . strtolower(md5($ts.$pid)) . $rand_num; + $id = $rand_str . strtolower(md5($ts.$pid)) . mt_rand(); return strtoupper(md5($id));
The session ID generation seems more of a arbitrary composition of commands to me anyway. Looking at the "$rand_str" calculation and the last two lines of code, it's easy to see that the amount of self-information of a session ID generated by current new_sid() even is below MD5's digest size of 128 bit. How about just using something like this: ---- return md5($_SERVER['REMOTE_ADDR'] . uniqid(mt_rand(), true)); ---- This is (kind of) clear and results in all session IDs of our session ID universe being used (assuming that at least 256 different IP addresses are in use and without taking MD5 vulnerabilities into account, of course).
}
-- 1.7.5.4