Demos · Guide · Class Reference · Wiki · Extensions · Forum · Live Chat · Login
search

randomness

Helper functions for getting secure random numbers
report it
16 followers
Requirements
Usage
Test to be sure
Resources
NOTE to XAMPP users on Windows:

Github Repo Please don't use the zip file on the Yii Extensions CMS, I do not maintain it.

This Yii application component provides four handy helper functions for using in web apps that need to handle passwords.

The wiki article on secure password hash storage explains the background to the functions in this extension.

Requirements

Yii 1.1 or newer

Usage

Randomness' methods return random numbers. It uses the operating system's CSPRNG if it can. If it can't, it logs a warning and falls back to something less secure. In the case that neither openssl_random_pseudo_bytes() nor /dev/random work it falls back on its own own stupid tricks to shuffle things up (read the code).

In most decent production environments, be it Windows, Unix or Linux, Randomness will return a good, CS random value and not use any hackery. But test it out to see how it works for you by checking your logs (Yii logs, not PHP error log).

Test to be sure

You're in good shape is this returns true:

var_dump(function_exists('openssl_random_pseudo_bytes'));

Two of the helpers return simple random strings:

// get 16 random bytes
$r = Randomness::randomBytes(16);
 
// get an 8-char random string using [a-zA-Z0-9~.]
$s = Randomness::randomString(8);

Randomness::blowfishSalt() works together with PHP's crypt() to get a decent password hash:

$user = new User;
$user->email = $form->email;
$user->bf_hash = crypt($form->password, Randomness::blowfishSalt());
if ($user->save())
    ...
 
//To authenticate:
public function authenticate() {
    $user = User::model()->findByAttributes(array(
        'email' => $this->username,
    ));
    if ($user === null
        || crypt($this->password, $user->bf_hash) !== $user->bf_hash
     )
        $this->errorCode = self::ERROR_UNKNOWN_IDENTITY;
     ...

Resources

  • Wiki page
  • Github Repo Please don't use the zip file on the Yii Extensions CMS, I do not maintain it.

NOTE to XAMPP users on Windows:

It seems XAMPP comes with openssl but you might need to configure it before it will work. You should do this before using randomness. Take a look at: xampp\php\extras\openssl\README-SSL.txt

Total 2 comments

#6176 report it
fsb at 2011/12/16 11:49am
CSecurityManager

CSecurityManager uses mt_rand to generate random numbers.

Don't use it.

#6167 report it
Cherif at 2011/12/16 05:27am
What about the CSecurityManager?

I dont see any use of the CSecurityManager!! I think is a powerfull class that needs some attention.

Leave a comment

Please to leave your comment.

Create extension
Search Extensions
Downloads
No downloadable files yet
Related Extensions
 

Yii Supporters

  • The Ext4Yii Framework is a professional PHP Yii extension which provides server-side ExtJS functionality.
Terms of Service | License | Contact Us
Copyright © 2013 by Yii Software LLC. All Rights Reserved.