Sjoerd Langkemper writes about Cracking PHP rand():
Webapps occasionaly need to create tokens that are hard to guess. For example for session tokens or CSRF tokens, or in forgot password functionality where you get a token mailed to reset your password. These tokens should be cryptographically secure, but are often made by calling
rand() multiple times and transforming the output to a string. This post will explore how hard it is to predict a token made with
This is a very interesting read about how PHP
rand() works, and how to attack & crack it. The post ends with the following conclusion:
Tokens should be created using a cryptographically secure random number generator. If they are made with
rand, the state of the random number generator can be cracked trivially in many cases, and tokens can be predicted. On Linux it is a little bit harder to predict tokens, but this does still not give secure tokens. The random number generator on Windows is particularly easy to exploit, since any state of the random number generator can be cracked within minutes.