Bug #31557
Ambiguous optinhash values
| Status: | New | Start date: | 2011-11-03 | |
|---|---|---|---|---|
| Priority: | Must have | Due date: | ||
| Assignee: | - | % Done: | 0% |
|
| Category: | - | |||
| Target version: | - | |||
| Votes: | 0 |
Description
Random numbers generated by simpleRandString() are, at a significant rate, not unique!
In a recent project this led to dozens of users who were not able to finish their registration to the online portal because the optinhash value did not match the associated uid because the optinhash value had been issued and used before in the course of another registration process.
The optinhash (which is actually a random number and does not depend on underlying data) is generated by simpleRandString() routine. In each call, it seeds the (pseudo) random generator:
mt_srand ((double) microtime () * 1000000);
In our environment (PHP 5.3.5), this results in at max 1000 different double values as a seed. As random numbers generated afterwards using mt_rand() are pseudo-random, coincidences at a significant rate are likely.
"As of PHP 4.2.0, there is no need to seed the random number generator with srand() or mt_srand() as this is now done automatically."
http://de2.php.net/manual/en/function.mt-srand.php
Removing the complete seeding line (stated above) should solve this issue.