views:

119

answers:

4

What is the best way of making a md5 hash for the purpose of storing a session? Also, I am looking for one that works with PHP and works without many extensions added because I want my code to be portable. Also, I have heard of the word nonce, but how do I really use a nonce?

A: 

You can use PHP's built-in hashing functions, sha1 and md5. Choose one, not both.

One may think that using both, sha1(md5($pass)) would be a solution. Using both does not make your password more secure, its causes redundant data and does not make much sense.

Take a look at PHP Security Consortium: Password Hashing they give a good article with weaknesses and improving security with hashing.

Nonce stands for "numbers used once". They are used on requests to prevent unauthorized access, they send a secret key and check the key each time your code is used.

You can check out more at PHP NONCE Library from FullThrottle Development

Anthony Forloney
Thanks. Im going to look into it
Eric Gates
A: 

I personally use apache's mod_unique_id to generate a random unique number to store my sessions. It's really easy to use (if you use apache).

For nonce take a look here http://en.wikipedia.org/wiki/Cryptographic_nonce there's even a link to a PHP library.

t00ny
+1  A: 

Maybe uniqid() is what you need?

uniqid — Generate a unique ID

z-boss
Right now, I am using uniqid() but I read that using md5 on a uniqid() is not good.
Eric Gates
Why do you want to use md5? Just use uniqid.
GregS
A: 

I generally dont manually manage session ids. Ive seen something along these lines recommended for mixing things up a bit before, ive never used myself so i cant attest to it being any better or worse than the default (Note this is for use with autogen not with manual management).

//md5 "emulation" using sha1
ini_set('session.hash_function', 1);
ini_set('session.hash_bits_per_character', 5);
prodigitalson
I dont use the built in php session functions as I do not have much control over them and maybe unsecure.
Eric Gates