NYCPHP Meetup

[Chris Shiflett]

I saw a reference to this on another site:

http://education.nyphp.org/phundamentals/PH_spoofed_submission.php

Actually, I saw it quoted, and here is the part that was quoted:

--

One implementation would be to store the secret in the user's session:

    $secret = md5(time());
    $_SESSION['secret'] = $secret;

--

Yikes! That sure is a weak secret.

I'm sure the date for edits has passed, but would anyone mind if we
changed this to the following?

$secret = md5(uniqid(rand(), true));

Chris

=====
Chris Shiflett - http://shiflett.org/

PHP Security - O'Reilly     HTTP Developer's Handbook - Sams
Coming Soon                 http://httphandbook.org/