Better Random Numbers in PHP using /dev/urandom
First posted in the Code as Craft blog. Here’s the intro:
The design of PHP’s basic random number generators rand and it’s newer variant mt_rand is based off the C Standard Library. For better or worse, both use a single global state and this can be reset using stand (or mt_srand). This means anyone (a developer, a third party module, a library) could set the state to a fixed value and every random number following will be the same for every request. Sometimes this is the desired behavior but this can also have disastrous consequences. For instance, everyone’s password reset code could end up being the same.
Update 2018: I assume PHP has since fixed how the default random number generation is done, but if not, this technique should still work. When this article came out I got a lot of feedback on how I’m wrong and one should really use
/dev/random. Be my guest, but don’t call me when your server locks up waiting for “entropy.”