Please sign in to comment.
Fix #311: non cryptographically secure CSRF tokens
Neither `uniqid()` nor `rand()` are sufficent for cryptographic purposes, and combining them does not really improve the situation. Applying `md5()` on the resulting value may even weaken the token further. Instead we use 128bits of entropy as recommended by both OWASP and CWE for session identifiers which are rather comparable to CSRF tokens in this regard. We obtain the values via `random_bytes()`.
- Loading branch information...