Is my PHP code secure?

Networking/Security Forums -> Cryptographic Theory and Cryptanalysis - Internal and Transmission Security

Author: BenB PostPosted: Sat Mar 06, 2010 3:27 am    Post subject: Is my PHP code secure?
    ----
Okay, so I'm using PHP and want to make an encryption method for storing a random value in the user's cookie as a method of authentication so they don't need to log back in every time they visit the site. Would the code below be secure?

$salt = "some random characters I made up";
hash('sha256', $salt.microtime(true).mt_rand(10000000,99999999));

Thanks!

Author: gnix PostPosted: Mon Apr 05, 2010 8:27 am    Post subject:
    ----
Trust me, the problem is rarely the random number used to track a user, but the website's cookie management.

gnix

p.s.: In any case, your random value is random for sure. Wink

Author: krugger PostPosted: Tue Mar 22, 2011 6:41 pm    Post subject:
    ----
A hash is 32 letters long, with 16 options per letter. So walking the entire key space takes 2^36 attempts, so it is a bit challenging.

The most common problems will be someone sniffing the cookie and replaying it. Anyway how do you validate the hash in the cookie the user sends you?

Author: capiLocation: Portugal PostPosted: Wed Mar 23, 2011 12:54 am    Post subject:
    ----
krugger wrote:
A hash is 32 letters long, with 16 options per letter. So walking the entire key space takes 2^36 attempts, so it is a bit challenging.

Assuming 32 letters, I think you mean 16^32 == (2^4)^32 == 2^(4*32) == 2^128 attempts Smile (as a worst case scenario for the attacker, of course)

In BenB's case, sha256 is being used, so for a pure brute force approach it would take 2^256 attempts (again as a worst case scenario).



Networking/Security Forums -> Cryptographic Theory and Cryptanalysis - Internal and Transmission Security


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group