CSRF token is always the same
This is probably a Windows issue (Windows 7, 64bit):
The blog example generates links like "posts/new?__csrfToken=00000000000000000000000000000000" for protected actions.
Updated by Bastian Waidelich over 9 years ago
Christian Mueller wrote:
Maybe we should add a fallback to generate "not so strongly randomized data" to have
it running on Win 64-bit but log the fact that it is not so secure? WDYT?
The Randomizer already comes with a fallback to
mt_rand - but the problem is, that (in my case) it doesn't reach that fallback as it considers "00000000000000000000000000000000" as valid result.
Updated by Christian Müller over 9 years ago
Yep I see,
I guess it goes wrong around line 219 for you, maybe you check that out. It fills an array with zeros then uses the .NET crypto stuff, but finally it returns the array filled with zeros. For me this code looks plain wrong, I think this $variant thingy is filled with the random bytes and so its content needs to be returned there.