uniqid(); wtf?

[fortnox007]

Hi guru's,

 

I was just playing around with formtokens by using the function uniqid(); (is this btw unique enough for a form token?)

pretty soon i noticed something weird: I have this small script (for testing)

<?php
   $token = uniqid;
   echo $token;
   //resulting in something like: 4cbba625bd06d 
?>

Now for some reason if i run this code no matter how often the first few characters are always 4cbba

Anyone has an idea on why/ how et cetera?

 

So 2 questions:

- is this function good enough for creating a secure form token?

- how/ why does it keep starting with 4cbba?

 

Would love to here it, thank you 

[sKunKbad]

In the code you have provided, $token will always be false, null, or empty.

[BlueSkyIS]

in my testing, it is the string uniqid

[fortnox007]

In the code you have provided, $token will always be false, null, or empty.

Oops that was a typo it should have been

<?php
$token = uniqid();
echo $token;
?>

 

Anyway i found out why it keeps starting with the same character. The manual says this:

Gets a prefixed unique identifier based on the current time in microseconds.

 

So the question remains, is this a secure way to create a token (so forget about my initial typo). I am not sure how determined some people are but if the XSS fanatic could fine tune his server to the microsecond of my server he could spoof the token. Or is this pretty unthinkable?

 

[fortnox007]

Sorry to bump this but it was on the third page.

 

May i assume that the function uniqid(); is secure enough for creating a form token or are there better practises?

Love to hear from you people.

[salathe]

I know that you already found the reason in the manual but here's a little more info. Part (or all if you're not getting a "strong" ID) of the ID is based on the current time: the first 8 hexadecimal digits are  seconds since the UNIX epoch and the next 5 are milliseconds. Don't confuse unique with random.  Finally, go for using the more_entropy parameter with uniqid() as that does at a little randomness to the end of the ID.

 

As for a "secure way to create a token" you could still use uniqid() but hash the value (with a salt) to get something unguessable using of of the many hashing functions available.

[fortnox007]

I know that you already found the reason in the manual but here's a little more info. Part (or all if you're not getting a "strong" ID) of the ID is based on the current time: the first 8 hexadecimal digits are  seconds since the UNIX epoch and the next 5 are milliseconds. Don't confuse unique with random.  Finally, go for using the more_entropy parameter with uniqid() as that does at a little randomness to the end of the ID.

 

As for a "secure way to create a token" you could still use uniqid() but hash the value (with a salt) to get something unguessable using of of the many hashing functions available.

Thanks a lot Salathe for the tips! Sorry if my question was a bit noobish, but i am not yet that experienced with this and rather know more than less.

Cheers!

[salathe]

No problemo, and don't worry about asking "noobish" questions (this wasn't one, btw). We all started at nothing.