What is the best way of making a md5 hash for the purpose of storing a session? Also, I am looking for one that works with PHP and works without many extensions added because I want my code to be portable. Also, I have heard of the word nonce, but how do I really use a nonce?
A:
You can use PHP's built-in hashing functions, sha1 and md5. Choose one, not both.
One may think that using both, sha1(md5($pass)) would be a solution. Using both does not make your password more secure, its causes redundant data and does not make much sense.
Take a look at PHP Security Consortium: Password Hashing they give a good article with weaknesses and improving security with hashing.
Nonce stands for "numbers used once". They are used on requests to prevent unauthorized access, they send a secret key and check the key each time your code is used.
You can check out more at PHP NONCE Library from FullThrottle Development
Anthony Forloney
2010-02-19 02:27:02
Thanks. Im going to look into it
Eric Gates
2010-02-19 02:44:22
A:
I personally use apache's mod_unique_id to generate a random unique number to store my sessions. It's really easy to use (if you use apache).
For nonce take a look here http://en.wikipedia.org/wiki/Cryptographic_nonce there's even a link to a PHP library.
t00ny
2010-02-19 02:31:32
Right now, I am using uniqid() but I read that using md5 on a uniqid() is not good.
Eric Gates
2010-02-19 02:35:25
A:
I generally dont manually manage session ids. Ive seen something along these lines recommended for mixing things up a bit before, ive never used myself so i cant attest to it being any better or worse than the default (Note this is for use with autogen not with manual management).
//md5 "emulation" using sha1
ini_set('session.hash_function', 1);
ini_set('session.hash_bits_per_character', 5);
prodigitalson
2010-02-19 02:37:46
I dont use the built in php session functions as I do not have much control over them and maybe unsecure.
Eric Gates
2010-02-19 03:42:19