Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:56982 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 91411 invoked from network); 21 Dec 2011 17:07:50 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 21 Dec 2011 17:07:50 -0000 Authentication-Results: pb1.pair.com header.from=kiall@managedit.ie; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=kiall@managedit.ie; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain managedit.ie designates 209.85.161.170 as permitted sender) X-PHP-List-Original-Sender: kiall@managedit.ie X-Host-Fingerprint: 209.85.161.170 mail-gx0-f170.google.com Received: from [209.85.161.170] ([209.85.161.170:39675] helo=mail-gx0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id F1/14-01597-46212FE4 for ; Wed, 21 Dec 2011 12:07:49 -0500 Received: by ggnv1 with SMTP id v1so6120542ggn.29 for ; Wed, 21 Dec 2011 09:07:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=managedit.ie; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=uQos6oL2bG4Qxo+nc2oqD34B6AsTe+8t+ysbO2QkKdg=; b=PAKmnoS9x9so8K5CS6aASNAM+sVwLflqaU8j8+MPsnO4ZvSJdTduIpJZpoh2o9xvWq CZTSjlr0kE/ObhWn/2q5edAUuVxBdujyW8qZzs17w+ElHJlDX8EdPlrwNEbcDE+WBsbx vvevkXQMk7WpQLH/ea9+LS3q1K46eAEej0xMs= MIME-Version: 1.0 Received: by 10.50.187.233 with SMTP id fv9mr4522448igc.24.1324487266066; Wed, 21 Dec 2011 09:07:46 -0800 (PST) Received: by 10.231.19.134 with HTTP; Wed, 21 Dec 2011 09:07:45 -0800 (PST) Received: by 10.231.19.134 with HTTP; Wed, 21 Dec 2011 09:07:45 -0800 (PST) In-Reply-To: References: Date: Wed, 21 Dec 2011 17:07:45 +0000 Message-ID: To: Tom Worster Cc: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=14dae9340e0b00df9404b49d394b Subject: Re: [PHP-DEV] CS random values From: kiall@managedit.ie (Kiall Mac Innes) --14dae9340e0b00df9404b49d394b Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On Wed, Dec 21, 2011 at 3:31 PM, Tom Worster wrote: > > 1. /dev/random and /dev/urandom are unavailable on Windows and > cannot be fopen()=B9ed in safe mode on *nix/nux Safe mode has been deprecated for two and a half years.. Adding features to work around its limitations is (IMO) a bad idea.. Can't argue with it being unavailable on windows.. > > > 2. openssl_random_pseudo_bytes() requires openssl extension > installed and enabled. Most of the popular AMP packages for > Windows fail on this count. Many shared web hosts don=B9t have it > either. As far as I remember, WAMP Server (Arguably the most popular AMP package for windows) does include openssl support. Its simply disabled by default like everything else! Some quick googling seems to confirm this.. Some more googling confirms XAMPP also includes OpenSSL out of the box.. > > > 3. mcrypt_create_iv() depends on mcrypt extension and so suffers > similar problems as openssl mcrypt again comes with both WAMP and XAMPP servers, but disabled by default. > 4. Another method is to set runtime config param > session.entropy_length followed by @session_start(); > session_regenerate_id(); after which session_id() will return a > CS random string, but this is also foiled by safe mode. This is obviously not a solution, even if it worked... ;) > > > 5. On Windows you could try COM('CAPICOM.Utilities.1')->GetRandom > but that API is obsolescent and not in many default Windows > installs. I can't speak for windows specific APIs So I'm going to ignore the rest! It seems that the two preferable cross platform options (openssl and mcrypt) are already both widely available on all platforms, I'm not sure I see the need to be honest. Kiall --14dae9340e0b00df9404b49d394b--