Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Better nonce generator #537

Open
paragonie-scott opened this issue Jan 22, 2018 · 2 comments
Open

Better nonce generator #537

paragonie-scott opened this issue Jan 22, 2018 · 2 comments

Comments

@paragonie-scott
Copy link

Offending code:

How to do it instead:

https://paragonie.com/blog/2015/07/how-safely-generate-random-strings-and-integers-in-php
@PeeHaa
Copy link
Collaborator

PeeHaa commented Jan 23, 2018
edited
Loading

Am I missing something here?

The nonce in oauth is more used to prevent the service from processing the same request multiple times and not to prevent some security issue.

Worst case means valid requests will be flagged as invalid.

Without a way for the attacker to use their own new nonce and ability to create a new valid signature with it what good is it to the attacker.

Not arguing it's a suboptimal solution

@paragonie-scott
Copy link
Author

Am I missing something here?

Nope. I just wanted to call attention to it and suggest using random_int() and bin2hex(random_bytes(16)) respectively.

@PeeHaa PeeHaa changed the title Insecure Random Number Generator Better nonce generator Jan 23, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@PeeHaa @paragonie-scott