PHP中的长随机字符串生成器

Question

Does anyone know how to generate a long (eg 280 characters) random string in PHP without having to use a for loop that will loop through characters 280 times? I need it in order to create a custom session ID.

The PHPSESSID is not secure enough in my opinion being too short and not too random. I know Facebook and Twitter, use long session IDs (150, 550 chars respectively).

There could be an option to use MD5 strings or Bcrypt encryption of different string such as PHPSESSID , host, User-Agent etc. but I'm not sure this is the right way of doing it.

Answer 1

If you're asking a question like that, it probably means you don't know anything about cryptography or security. Trying to generate a "long random string" because, as you say, "The PHPSESSID is not secure enough" will probably lead you to a custom and insecure implementation.

Generating a random string is IMPOSSIBLE , at least not with your current hardware: you may approximate a fair pseudorandom generator but that is only useful for educational purposes.

PHP's Session ID generation algorithm is fairly efficient; if you think it is not secure enough, then you'll likely waste time making it better. You may probably want to use a different authentication mechanism if you are looking at maximum security (using a client certificate for example).

If websites such as Twitter, Facebook, or another site with similar traffic use longer session IDs, it may be not because it is more secure (well in a way), but rather because it avoids conflicts.

Finally, if you want a longer session ID without trying to write your own algorithm, you should use the following PHP configuration directive:

session.hash_function which can take any hash algorithm known by PHP.

You may also want to use session.bits_per_characters to shorten or lengthen the string. Note that if you do this, the string may be longer or shorter, but the data remains the same -- only represented differently (base 16, base 32, etc.)

Additional info:

You may also increase the entropy by using a custom source (file) and setting the length of the seed:

ini_set("session.hash_function", "sha512");
ini_set("session.bits_per_charater", 4); // 4 means hex
ini_set("session.entropy_file", "/dev/urandom");
ini_set("session.entropy_length", "512");

Answer 2

Can it be binary hexadecimal?

bin2hex(mcrypt_create_iv(140, MCRYPT_DEV_URANDOM));

Or if you have access to hash_pbkdf2() :

hash_pbkdf2('sha256', PHPSESSID, mt_rand(), 1, 280, false);

Answer 3

You'll probably find that not all the bits in a "long" session id are purely random - they might provide additional information to the application to enable rapid extraction of key information.

PHP session ids by default aren't too bad, and can be improved by providing some extra entropy (eg from /dev/urandom)

Look at php_session_create_id in ext/session/session.c in the php source

It goes like this:

• get time of day
• get remote ip address
• build a string with the seconds and microseconds from the current time, along with the IP address
• feed that into configured session hash function (either MD5 or SHA1)
• if configured, feed some additional randomness from an entropy file
• generate final hash value

So getting a duplicate or predicting a session id is pretty difficult.

Answer 4

Make yourself a long string and shuffle it.

$string = 'asdfhdfiadfshsdfDSGFADSFDSFDSFER524353452345';
$new_string = shuffle($string);