Request for Comments: getEntropy feature request


This isn't done yet, don't read it yet. please?

There are a number of situations within web development where the application must use a random string, notably CSRF defense. Within the language this is currently problematic, implemented “solutions” range from the tragic: md5(time()), the system dependent echo file_get_contents (“/dev/random/”, null, null, null,128), to the convoluted md5(mtrand() . mtrand(). mtrand()). Other implementations use uniqid() which simply wasn't designed to provide random information, merely a unique identifier.

This RFC requests an additional userspace function getEntropy() which provides N bits of entropy (binary) in a platform independent manner.

Early discussions with more active (and qualified) members of the internals list have suggested wrapping some of the functionality provided by OpenSSL. While the author isn't opposed to that per say, it would be very much preferred to have this functionality available as a feature of core, so proper random values are available to all.

Note that while CSRF is the example here, it's far from the only use of data that is random from a cryptographic standpoint. From all positions it would be great from an educational standpoint to simply and clearly say: “The answer for generating a random value here is X”, and I'm not sure we have that at the moment.


$nonce = unpack('h', getEntropy(128));
echo '<input type="hidden" name="csrf" value="' . $nonce . '">';
$_SESSION['csrf'] = $nonce;


Declined, as having http://php.net/openssl_random_pseudo_bytes makes this RFC obsolete.

rfc/functiongetentropy.txt · Last modified: 2017/09/22 13:28 by