i want to use mcrypt to create a 256 bit token to set as the cookie for the user.
I have read a number of articles suggesting to use mcrypt DEV_RANDOM
I am using the code
$size = mcrypt_get_iv_size(MCRYPT_CAST_256, MCRYPT_MODE_CFB);
$iv = mcrypt_create_iv($size, MCRYPT_DEV_RANDOM);
But the result i get when i output the token is
ǡw��ӣ�:z���{d
Is this what it is supposed to look like? iF not, what do i have to do to generate a proper token.
Thanks
Use bin2hex to get a more "friendly" representation of the data. bin2hex will convert the bytes you have generated into an ASCII encoded hex representation of the original string.
$size = mcrypt_get_iv_size(MCRYPT_CAST_256, MCRYPT_MODE_CFB);
$iv = mcrypt_create_iv($size, MCRYPT_DEV_RANDOM);
$hexIv = bin2hex($iv);
The reason you are getting the strange output is because you are taking a random sequence of bytes and trying to represent them at some kind of human readable text by treating it as a string encoded in whatever is the default encoding for the application you are viewing the string in (e.g you web browser).
Example:
$size = mcrypt_get_iv_size(MCRYPT_CAST_256, MCRYPT_MODE_CFB);
$iv = mcrypt_create_iv($size, MCRYPT_DEV_RANDOM);
echo "RAW IV: ";
echo $iv;
echo "\n Hex: ";
echo bin2hex($iv);
Output:
RAW IV: ª£2æ|%ìE½ßy²ý
Hex: 0aaaa332e67c25ecad45bddf7919b2fd
In addition you should note the following things:
MCRYPT_DEV_RANDOM will block if the entropy pool is depleted.MCRYPT_DEV_URANDOM is most likely a better choice as it won't block. The output is less random, but this is fine for most purposes.openssl_random_pseudo_bytes which, for your use-case, performs the same function as the two mcrypt_ function calls (with MCRYPT_DEV_URANDOM). It does not require the mcrypt extension, only that PHP was compiled with OpenSSL support.