Sjoerd Langkemper writes about Cracking PHP rand():
Webapps occasionaly need to create tokens that are hard to guess. For example for session tokens or CSRF tokens, or in forgot password functionality where you get a token mailed to reset your password. These tokens should be cryptographically secure, but are often made by calling
rand() multiple times and transforming the output to a string. This post will explore how hard it is to predict a token made with
This is a very interesting read about how PHP
rand() works, and how to attack & crack it. The post ends with the following conclusion:
Tokens should be created using a cryptographically secure random number generator. If they are made with
rand, the state of the random number generator can be cracked trivially in many cases, and tokens can be predicted. On Linux it is a little bit harder to predict tokens, but this does still not give secure tokens. The random number generator on Windows is particularly easy to exploit, since any state of the random number generator can be cracked within minutes.
My name is Jan. I am not a hacker, coder, developer or guru. I am merely a systems administrator, doing my daily thing at Vevida.
If you feel a post has helped solve your problem, or has saved you time, please consider making a donation. You can transfer a direct donation through Paypal or via bank wire-transfer IBAN: NL31 ABNA 0432217258 (Jan Reilink). Thanks!