Edit report at http://bugs.php.net/bug.php?id=51436&edit=1
ID: 51436 Comment by: crrodriguez at opensuse dot org Reported by: andreas at andreas dot org Summary: LCG entropy fix insufficient, uniqid leaks entropy, leads to weak session IDs Status: Assigned Type: Bug Package: *Encryption and hash functions Operating System: all PHP Version: 5.3.2 Assigned To: pajoye New Comment: I think uniqid() should also use zend_mm_random()-like random value when more_entropy is set to true instead of the LCG ... Previous Comments: ------------------------------------------------------------------------ [2010-04-07 17:44:16] paj...@php.net And assigned to me, almost done with the patch we discussed. ------------------------------------------------------------------------ [2010-04-07 17:43:49] paj...@php.net Well, the easiest to "backport" something now and here is to use the given settings. You can do it right now. ------------------------------------------------------------------------ [2010-04-07 17:21:47] andreas at andreas dot org I strongly suggest backporting. Also, the fact that uniqid() values are predictable too needs addressing. ------------------------------------------------------------------------ [2010-03-31 20:30:53] ras...@php.net I have switched the default in trunk to either /dev/urandom or /dev/arandom if it exists. We actually already had a check for it in Zend for the zend_mm_random() function, Whether we backport this to 5.3 or just improve the documentation for that setting is up to Johannes, I think. ------------------------------------------------------------------------ [2010-03-31 20:03:18] ras...@php.net Automatic comment from SVN on behalf of rasmus Revision: http://svn.php.net/viewvc/?view=revision&revision=297232 Log: Set session.entropy_file to /dev/urandom or /dev/arandom by default if present at compile-time. Addresses part of bug #51436 ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/bug.php?id=51436 -- Edit this bug report at http://bugs.php.net/bug.php?id=51436&edit=1