Author: BenB, Posted: Sat Mar 06, 2010 3:27 am Post subject: Is my PHP code secure? ---- Okay, so I'm using PHP and want to make an encryption method for storing a random value in the user's cookie as a method of authentication so they don't need to log back in every time they visit the site. Would the code below be secure?
$salt = "some random characters I made up";
hash('sha256', $salt.microtime(true).mt_rand(10000000,99999999));
Thanks!
Author: gnix, Posted: Mon Apr 05, 2010 8:27 am Post subject: ---- Trust me, the problem is rarely the random number used to track a user, but the website's cookie management.
gnix
p.s.: In any case, your random value is random for sure.
Author: krugger, Posted: Tue Mar 22, 2011 6:41 pm Post subject: ---- A hash is 32 letters long, with 16 options per letter. So walking the entire key space takes 2^36 attempts, so it is a bit challenging.
The most common problems will be someone sniffing the cookie and replaying it. Anyway how do you validate the hash in the cookie the user sends you?
Author: capi, Location: PortugalPosted: Wed Mar 23, 2011 12:54 am Post subject: ----
krugger wrote:
A hash is 32 letters long, with 16 options per letter. So walking the entire key space takes 2^36 attempts, so it is a bit challenging.
Assuming 32 letters, I think you mean 16^32 == (2^4)^32 == 2^(4*32) == 2^128 attempts (as a worst case scenario for the attacker, of course)
In BenB's case, sha256 is being used, so for a pure brute force approach it would take 2^256 attempts (again as a worst case scenario).