Security tokens, nonces, and session identifiers must use CSPRNG functions (random_bytes, random_int). Insecure RNG (rand, mt_rand) can be predicted by attackers, enabling replay or token guessing. Cryptographically secure generators are mandatory for sensitive operations.
Security tokens, session IDs, and nonces must be unpredictable.
If weak random functions like rand() or mt_rand() are used,
attackers may guess the values and hijack sessions or bypass protections.
Cryptographically secure random number generators (CSPRNG) like random_bytes()
or random_int() produce values that cannot be predicted.
Using them ensures that tokens for authentication, password reset, and API access
remain safe against brute force or guessing attacks.
# Search custom code for weak RNG functions
grep -R "rand(" app/code
grep -R "mt_rand(" app/code
# Check if secure functions like random_bytes() or random_int() are used insteadrand() and mt_rand() with random_int() for integers.random_bytes() when generating tokens or binary data.// Weak, predictable
$token = md5(mt_rand());// Strong, unpredictable
$token = bin2hex(random_bytes(32));