phpwn: PHP cookie PRNG flawed (Netscape redux)

Chris Palmer chris at
Thu Aug 5 13:33:17 EDT 2010

travis+ml-cryptography at writes:


He doesn't mention the php.ini variables session.entropy_length and
session.entropy_file. Last I checked, their default settings were unsafe,
but setting them to 16 and /dev/urandom should solve the problem he
describes in the paper.

Unless not.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list