use random_bytes(32) which throws for not enought entropy

This commit is contained in:
Ralf Becker 2020-01-29 11:12:21 +01:00
parent d95894d530
commit cc8258cb3c

View File

@ -31,6 +31,8 @@ class Csrf
* *
* @param mixed $_purpose =true if given it need to be used in validate too! (It must NOT be NULL) * @param mixed $_purpose =true if given it need to be used in validate too! (It must NOT be NULL)
* @return string CSRF token * @return string CSRF token
* @throws Exception\WrongParameter
* @throws \Exception if it was not possible to gather sufficient entropy.
*/ */
public static function token($_purpose=true) public static function token($_purpose=true)
{ {
@ -39,9 +41,7 @@ class Csrf
throw new Exception\WrongParameter(__METHOD__.'(NULL) $_purspose must NOT be NULL!'); throw new Exception\WrongParameter(__METHOD__.'(NULL) $_purspose must NOT be NULL!');
} }
// generate random token (using oppenssl if available otherwise mt_rand based Auth::randomstring) // generate random token (using oppenssl if available otherwise mt_rand based Auth::randomstring)
$token = function_exists('openssl_random_pseudo_bytes') ? $token = base64_encode(random_bytes(32));
base64_encode(openssl_random_pseudo_bytes(64)) :
Auth::randomstring(64);
// store it in session for later validation // store it in session for later validation
Cache::setSession(__CLASS__, $token, $_purpose); Cache::setSession(__CLASS__, $token, $_purpose);