PHP CSRF Attack

Question

I want to know if this code is strong enough to prevent CSRF attack on PHP Form?

Answer 1

I’d say it suffices for the given purpose.

The values returned by uniqid(mt_rand(), true) should be up to 33 bytes:

• up to 10 bytes prefix from mt_rand
• 8 bytes system time in seconds
• 5 bytes current microseconds
• 10 bytes from the internal linear congruence generator php_combined_lcg

However, these 33 bytes do not provide 264 bits of entropy but way less:

• log₂(2³¹-1) ≈ 31 bits for the mt_rand prefix
• system time is known (e.g. Date response header field)
• microseconds can only have one of 10⁶ values, so log₂(10⁶) ≈ 20 bits
• LCG value is log₂(10⁹) ≈ 30

This sums up to almost 81 unknown bits. To brute force this, one would need on average 2⁸¹/2 ≈ 1.2·10²⁴ guesses that result in a given token when hashed. The data to process would be approximately 8·10¹³ TB. With a todays computer, you should be able to run this in approximately 5.215·10¹⁷ seconds.

This should be sufficient to render an attack impracticable.