问题
What is the best way of generating a hash for the purpose of storing a session? I am looking for a lightweight, portable solution.
回答1:
You can use PHP's built-in hashing functions, sha1 and md5. Choose one, not both.
One may think that using both, sha1(md5($pass)) would be a solution. Using both does not make your password more secure, its causes redundant data and does not make much sense.
Take a look at PHP Security Consortium: Password Hashing they give a good article with weaknesses and improving security with hashing.
Nonce stands for "numbers used once". They are used on requests to prevent unauthorized access, they send a secret key and check the key each time your code is used.
You can check out more at PHP NONCE Library from FullThrottle Development
回答2:
bin2hex(mcrypt_create_iv(22, MCRYPT_DEV_URANDOM));
- mcrypt_create_iv will give you a random sequence of bytes.
- bin2hex will convert it to ASCII text
Example output:
d2c63a605ae27c13e43e26fe2c97a36c4556846dd3ef
Bare in mind that "best" is a relative term. You have a tradeoff to make between security, uniqueness and speed. The above example is good for 99% of the cases, though if you are dealing with a particularly sensitive data, you might want to read about the difference between MCRYPT_DEV_URANDOM and MCRYPT_DEV_RANDOM.
Finally, there is a RandomLib "for generating random numbers and strings of various strengths".
Notice that so far I have assumed that you are looking to generate a random string, which is not the same as deriving a hash from a value. For the latter, refer to password_hash.
回答3:
random_bytes() is available as of PHP 7.0 (or use this polyfill for 5.2 through 5.6):
$hash = bin2hex(random_bytes(16));
echo serialize($hash);
Output:
s:32:"c8b2ca837488ff779753f374545b603c";
回答4:
Maybe uniqid() is what you need?
uniqid — Generate a unique ID
回答5:
You can use openssl_random_pseudo_bytes since php 5.3.0 to generate a pseudo random string of bytes. You can use this function and convert it in some way to string using one of these methods:
$bytes = openssl_random_pseudo_bytes(32);
$hash = base64_encode($bytes);
or
$bytes = openssl_random_pseudo_bytes(32);
$hash = bin2hex($bytes);
The first one will generate the shortest string, with numbers, lowercase, uppercase and some special characters (=, +, /). The second alternative will generate hexadecimal numbers (0-9, a-f)
回答6:
Use random_bytes() if it's available!
$length = 32;
if (function_exists("random_bytes")) {
$bytes = random_bytes(ceil($length / 2));
$token = substr(bin2hex($bytes), 0, $length)
}
Check it on php.net
回答7:
I personally use apache's mod_unique_id to generate a random unique number to store my sessions. It's really easy to use (if you use apache).
For nonce take a look here http://en.wikipedia.org/wiki/Cryptographic_nonce there's even a link to a PHP library.
回答8:
I generally dont manually manage session ids. Ive seen something along these lines recommended for mixing things up a bit before, ive never used myself so i cant attest to it being any better or worse than the default (Note this is for use with autogen not with manual management).
//md5 "emulation" using sha1
ini_set('session.hash_function', 1);
ini_set('session.hash_bits_per_character', 5);
回答9:
Different people will have different best ways. But this is my way:
- Download this
rand-hash.phpfile : http://bit.ly/random-string-generator include()it in the php script that you are working with. Then, simply callcc_rand()function. By default it will return a 6 characters long random string that may includea-z, A-Z,and0-9. You can passlengthto specify how many characterscc_rand()should return.
Example:
cc_rand()will return something like:4M8irocc_rand(15)will return something similar to this:S4cDK0L34hRIqAS
Cheers!
来源:https://stackoverflow.com/questions/2293684/what-is-the-best-way-to-create-a-random-hash-string