I am working on enhancing the security of an existing web application which currently has not implemented the use of anti-CSRF tokens, so it is up to me to generate one, add the hidden fields and checks, etc. A limitation right now is that neither the openssl or mcrypt modules are currently configured on the server.
Here is my token-generating code:
$csrfToken = base64_encode(uniqid(mt_rand(100, 999) . microtime(), true);
I have a feeling that this would provide an adequate token, but not a particularly strong one, but that's my own personal instinct. Does anybody have any suggestions as to how I can strengthen the security of this token without the use of mcrypt or openssl functions? Thank you!
Aucun commentaire:
Enregistrer un commentaire