Jump to content

uniqid(); wtf?

fortnox007

By fortnox007
in PHP Coding Help

 Share

Recommended Posts

fortnox007 Regular Member

fortnox007

Posted
Posted

Hi guru's,

 

I was just playing around with formtokens by using the function uniqid(); (is this btw unique enough for a form token?)

pretty soon i noticed something weird: I have this small script (for testing)

<?php
   $token = uniqid;
   echo $token;
   //resulting in something like: 4cbba625bd06d 
?>

Now for some reason if i run this code no matter how often the first few characters are always 4cbba

Anyone has an idea on why/ how et cetera?

 

So 2 questions:

- is this function good enough for creating a secure form token?

- how/ why does it keep starting with 4cbba?

 

Would love to here it, thank you  ::)

Link to comment
Share on other sites
fortnox007 Regular Member

fortnox007

Posted
  • Author
Posted

In the code you have provided, $token will always be false, null, or empty.

Oops that was a typo it should have been

<?php
$token = uniqid();
echo $token;
?>

 

Anyway i found out why it keeps starting with the same character. The manual says this:

Gets a prefixed unique identifier based on the current time in microseconds.

 

So the question remains, is this a secure way to create a token (so forget about my initial typo). I am not sure how determined some people are but if the XSS fanatic could fine tune his server to the microsecond of my server he could spoof the token. Or is this pretty unthinkable?

 

Link to comment
Share on other sites
salathe Member

salathe

Posted
Posted

I know that you already found the reason in the manual but here's a little more info. Part (or all if you're not getting a "strong" ID) of the ID is based on the current time: the first 8 hexadecimal digits are  seconds since the UNIX epoch and the next 5 are milliseconds. Don't confuse unique with random.  Finally, go for using the more_entropy parameter with uniqid() as that does at a little randomness to the end of the ID.

 

As for a "secure way to create a token" you could still use uniqid() but hash the value (with a salt) to get something unguessable using of of the many hashing functions available.

Link to comment
Share on other sites
fortnox007 Regular Member

fortnox007

Posted
  • Author
Posted

I know that you already found the reason in the manual but here's a little more info. Part (or all if you're not getting a "strong" ID) of the ID is based on the current time: the first 8 hexadecimal digits are  seconds since the UNIX epoch and the next 5 are milliseconds. Don't confuse unique with random.  Finally, go for using the more_entropy parameter with uniqid() as that does at a little randomness to the end of the ID.

 

As for a "secure way to create a token" you could still use uniqid() but hash the value (with a salt) to get something unguessable using of of the many hashing functions available.

Thanks a lot Salathe for the tips! Sorry if my question was a bit noobish, but i am not yet that experienced with this and rather know more than less.

Cheers! ::)

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.