Wamp session IDs are insecure

[rizqidjamaluddin]

WampConnection classes use uniqid() to generate an identifier that is later used by the user. This function gives fairly predictable strings (there's even a warning on the official PHP docs) and shouldn't be used for this purpose.

Preferably session identifiers would be generated using something like openssl_random_pseudo_bytes or another safer PRNG.

[cboden]

The session id is only used as a unique identifier. It has no security implications.

[rizqidjamaluddin]

I've worked with business logic that uses session IDs for authentication/authorization purposes, usually for external purposes (e.g. an HTTP-based mechanism to authenticate a websocket session, using the ID). The spec says this is part of the intended purpose of session IDs. Would it not make sense to use a stronger random string by default?

[cboden]

Ah, I stand corrected. Could I interest you in opening a pull request with a more secure ID generator?

[rizqidjamaluddin]

Something similar to Laravel's implementation maybe? The concern I have is that there are reports of openssl_random_pseudo_bytes being slow, which could pose serious problems on high demand servers running in those situations. If it's true that this was fixed in 5.3.4 - if ratchet requires 5.3.9 (as per the composer.json) this may be a concern.

[cboden]

👍 looks good

[carnage]

You could make use of this library: https://github.com/ircmaxell/RandomLib it's fairly flexable for creating good random numbers vs fast ones. Also by using an external lib, you can benefit from security/feature patches when they arrive.

[mbonneau]

This is what we use in Thruway:
It generates random session ids in a range that fits inside of most languages' integer representations.

    /**
     * Generate a unique id for sessions and requests
     * @return mixed
     */
    public static function getUniqueId()
    {
        $filter      = 0x1fffffffffffff; // 53 bits
        $randomBytes = openssl_random_pseudo_bytes(8);
        list($high, $low) = array_values(unpack('N2', $randomBytes));
        return abs(($high << 32 | $low) & $filter);
    }