Skip to content

Commit

Permalink
Fix #6103
Browse files Browse the repository at this point in the history
  • Loading branch information
zsturgess committed Jan 22, 2016
1 parent ddd3478 commit e9ada96
Showing 1 changed file with 28 additions and 27 deletions.
55 changes: 28 additions & 27 deletions components/security/secure_tools.rst
Original file line number Diff line number Diff line change
@@ -1,47 +1,48 @@
Securely Generating Random Numbers
Securely Generating Random Strings
==================================

The Symfony Security component comes with a collection of nice utilities
related to security. These utilities are used by Symfony, but you should
also use them if you want to solve the problem they address.

Generating a Secure random Number
Generating a Secure Random String
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Whenever you need to generate a secure random number, you are highly
encouraged to use the Symfony
:class:`Symfony\\Component\\Security\\Core\\Util\\SecureRandom` class::
Whenever you need to generate a secure random string, you are highly
encouraged to use the
:phpfunction:`random_bytes` function::

use Symfony\Component\Security\Core\Util\SecureRandom;
$random = random_bytes(10);

$generator = new SecureRandom();
$random = $generator->nextBytes(10);
The function returns a random string, suitable for cryptographic use, of
the number bytes passed as an argument (10 in the above example).

The
:method:`Symfony\\Component\\Security\\Core\\Util\\SecureRandom::nextBytes`
method returns a random string composed of the number of characters passed as
an argument (10 in the above example).
.. tip::

The SecureRandom class works better when OpenSSL is installed. But when it's
not available, it falls back to an internal algorithm, which needs a seed file
to work correctly. Just pass a file name to enable it::
The ``random_bytes()`` function returns a binary string which may contain the
``\0`` character. This can cause trouble in several common scenarios, such
as storing this value in a database or including it as part of the URL. The
solution is to hash the value returned by ``random_bytes()`` (to do that, you
can use a simple ``md5()`` PHP function).

use Symfony\Component\Security\Core\Util\SecureRandom;
Generating a Secure Random Number
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

$generator = new SecureRandom('/some/path/to/store/the/seed.txt');
If you need to generate a cryptographically secure random integer, you should
use the
:phpfunction:`random_int` function::

$random = $generator->nextBytes(10);
$hashedRandom = md5($random); // see tip below
$random = random_int(1, 10);

.. note::

If you're using the Symfony Framework, you can get a secure random number
generator via the ``security.secure_random`` service.
PHP 7 and up provide the ``random_bytes()`` and ``random_int()`` functions natively,
for older versions of PHP a polyfill is provided by the `Symfony Polyfill Component`_
and the `paragonie/random_compat package`_.

.. tip::
.. versionadded:: 2.8

The ``nextBytes()`` method returns a binary string which may contain the
``\0`` character. This can cause trouble in several common scenarios, such
as storing this value in a database or including it as part of the URL. The
solution is to hash the value returned by ``nextBytes()`` (to do that, you
can use a simple ``md5()`` PHP function).
The `paragonie/random_compat package`_ was added as a dependancy of the Symfony Security Component in 2.8. You will need to manually require the package as a dependancy of your project in versions of Symfony prior to 2.8.

.. _`Symfony Polyfill Component`: https://github.com/symfony/polyfill
.. _`paragonie/random_compat package`: https://github.com/paragonie/random_compat

0 comments on commit e9ada96

Please sign in to comment.