Typo3会话cookie fe_typo_user是一个(看似)不透明的值,由32个十六进制数字组成。对不同cookie值的大样本的统计分析表明,它们的熵远低于理论最大值128位。
我不能得到任何明显的信息:fe_typo_user是如何产生的?
它是作为随机字节序列生成的,这是由TYPO3CMSCoreUtilityGeneralUtility中的函数getRandomHexString完成的,该函数反过来调用函数generateRandomBytes,也在GeneralUtility中。函数代码:
/**
* Returns a string of highly randomized bytes (over the full 8-bit range).
*
* Note: Returned values are not guaranteed to be crypto-safe,
* most likely they are not, depending on the used retrieval method.
*
* @param integer $bytesToReturn Number of characters (bytes) to return
* @return string Random Bytes
* @see http://bugs.php.net/bug.php?id=52523
* @see http://www.php-security.org/2010/05/09/mops-submission-04-generating-unpredictable-session-ids-and-hashes/index.html
*/
static public function generateRandomBytes($bytesToReturn) {
// Cache 4k of the generated bytestream.
static $bytes = '';
$bytesToGenerate = max(4096, $bytesToReturn);
// if we have not enough random bytes cached, we generate new ones
if (!isset($bytes[($bytesToReturn - 1)])) {
if (TYPO3_OS === 'WIN') {
// Openssl seems to be deadly slow on Windows, so try to use mcrypt
// Windows PHP versions have a bug when using urandom source (see #24410)
$bytes .= self::generateRandomBytesMcrypt($bytesToGenerate, MCRYPT_RAND);
} else {
// Try to use native PHP functions first, precedence has openssl
$bytes .= self::generateRandomBytesOpenSsl($bytesToGenerate);
if (!isset($bytes[($bytesToReturn - 1)])) {
$bytes .= self::generateRandomBytesMcrypt($bytesToGenerate, MCRYPT_DEV_URANDOM);
}
// If openssl and mcrypt failed, try /dev/urandom
if (!isset($bytes[($bytesToReturn - 1)])) {
$bytes .= self::generateRandomBytesUrandom($bytesToGenerate);
}
}
// Fall back if other random byte generation failed until now
if (!isset($bytes[($bytesToReturn - 1)])) {
$bytes .= self::generateRandomBytesFallback($bytesToReturn);
}
}
// get first $bytesToReturn and remove it from the byte cache
$output = substr($bytes, 0, $bytesToReturn);
$bytes = substr($bytes, $bytesToReturn);
return $output;
}