为什么要散列（不使用盐）随机数？

Question

The following snippet of code is in php but I've seen developers of other web programming languages hash random numbers.

if ($loginValid=='yes') {
    $token = sha256(generateRandomNumber());
    $_SESSION["token"] = $token;
    $_SESSION["userid"] = $id;
    setcookie("authenticationtoken", $token, ...)
}

sha256 is a cryptographic hash function. Since it does not use a salt, whatever input you give it, the same output comes out. Try it out:

http://www.xorbin.com/tools/sha256-hash-calculator

In what context is hashing (without using a salt) a random number considered good practice?

Answer 1

My guess is that it's just a simple way of getting a hash of a known size, independently of the size that generateRandomNumber() returns. Obviously if generateRandomNumber() has a small range, that will be reflected in the number of distinct hashes returned too.

Answer 2

Assuming that GenerateRandomNumber does not have a random seed, ie it is a truly cryptographically secure random number, a salt won't be required. Remember that the purpose of a salt is to ensure that if the same input is used to a hash function, it will return two different results.

If token simply needs to be a secret that is passed to the client, then salting this hash won't really help.

For reference, you would use a salt on a password hash. Rather than storing the user password, you store its hash so that if you database is penetrated no one can steal a user's password. However, you do not want people who use the same password to get the same hash, so you add a salt to the password before it is hashed to ensure that even if two users have the same password, they should get a different hash.