Improve token generation by using openssl or /dev/urandom or uniqid() as fallback

models/base.php

@@ -14,27 +14,58 @@ require __DIR__.'/../vendor/SimpleValidator/Validators/AlphaNumeric.php';
 require __DIR__.'/../vendor/SimpleValidator/Validators/GreaterThan.php';
 require __DIR__.'/../vendor/SimpleValidator/Validators/Date.php';
 
+/**
+ * Base model class
+ *
+ * @package  model
+ * @author   Frederic Guillot
+ */
 abstract class Base
 {
+    /**
+     * Database instance
+     *
+     * @access protected
+     * @var PicoDb
+     */
     protected $db;
+
+    /**
+     * Event dispatcher instance
+     *
+     * @access protected
+     * @var Core\Event
+     */
     protected $event;
 
+    /**
+     * Constructor
+     *
+     * @access public
+     * @param  PicoDb\Database  $db     Database instance
+     * @param  Core\Event       $event  Event dispatcher instance
+     */
     public function __construct(\PicoDb\Database $db, \Core\Event $event)
     {
         $this->db = $db;
         $this->event = $event;
     }
 
-    // Generate a random token from /dev/urandom or with uniqid()
+    /**
+     * Generate a random token with different methods: openssl or /dev/urandom or fallback to uniqid()
+     *
+     * @access public
+     * @return string  Random token
+     */
     public static function generateToken()
     {
-        if (ini_get('open_basedir') === '' && strtoupper(substr(PHP_OS, 0, 3)) !== 'WIN') {
+        if (function_exists('openssl_random_pseudo_bytes')) {
-            $token = file_get_contents('/dev/urandom', false, null, 0, 30);
+            return bin2hex(\openssl_random_pseudo_bytes(16));
         }
-        else {
+        else if (ini_get('open_basedir') === '' && strtoupper(substr(PHP_OS, 0, 3)) !== 'WIN') {
-            $token = uniqid(mt_rand(), true);
+            return hash('sha256', file_get_contents('/dev/urandom', false, null, 0, 30));
         }
 
-        return hash('crc32b', $token);
+        return hash('sha256', uniqid(mt_rand(), true));
     }
 }