Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I need to generate a value that will go in a cookie so that I can uniquely identify users and after lots of reading it seems that openssl_random_pseudo_bytes() might fit the bill.
However, I’m uncertain of what length parameter I should use for the function in order for the value to be unique. I.e: should I use a length of 10, 25, 50, 100, etc?
A reasonable (strong cryptographic) security level today is 128 bits. That is the same level of security that you’d get from symmetrical encryption using a 128 bit cipher (e.g. AES-128). Assuming collisions would be a problem for your application because you want the values to be unique, we need to consider the birthday paradox, and therefore you’d want 256 bits of random data in your cookie value. That’s 32 bytes for
length. Mounting a birthday attack at 256 bits takes around 2256/2 = 2128 attempts to find a collision, which is equivalent to the 128 bit security level.