How do you generate a security string in PHP?


I am building a login system for my website, however I have always used the $_SESSION variable before for remembering people logged in, but this time they need to be remembered via cookies. The cookie will store their username and security code which I will also store in a database allowing me to confirm that they are the correct user. I have seen various approaches to this, however I would like to generate a completely secure string.


$_SESSION already uses cookies by default, so you don't have to change anything. Just make sure the <a href="http://php.net/manual/en/session.configuration.php#ini.session.use-cookies" rel="nofollow">use_cookies</a> and <a href="http://php.net/manual/en/session.configuration.php#ini.session.use-only-cookies" rel="nofollow">use_only_cookies</a> configuration options are set to on.


A secret is usually a random number, which you can compute its md5 and put it inside a cookie, this is how I do it for one of my applications ($salt is a unique large arbitrary string):

$rnd = mt_rand( 0, 0x7fffffff ) ^ crc32( $salt ) ^ crc32( microtime() ); $secret = md5( $rnd );

if you want to make it even more secure everytime you make a $rnd save it somewhere (in DB perhaps) and shift your next $rnd by its value and save that next $rnd in the DB...


I use the <a href="http://www.asciitable.com/" rel="nofollow">ASCII code</a> with the function <a href="http://pt2.php.net/manual/en/function.chr.php" rel="nofollow">chr</a>, from the character 33 to 126.

The function is like this:

$seed = ""; for ($i = 1; $i <= 20; $i++) { $seed .= chr( mt_rand(33,126) ); } return md5($seed);


  • How to find documents with exactly the same array entries as in a query
  • Get pretty git rev name
  • What's a better way to swap two argument values?
  • How to distribute Java-based software?
  • Why not Factory pattern for sorting? [closed]
  • Nginx rewrite equivalent to Apache RewriteRule that converts URL params into QueryString key/value p
  • Can't connect Entity Framework to local SQL Server Express
  • Visual studio alerts workspace already exists
  • How to extract a number from a string [duplicate]
  • SIP API media codecs
  • How to synchronize jQuery dialog box to act like alert() of Javascript
  • SetWindowsHookEx does not react on media keys
  • Web.config system.webserver errors
  • Python CGI os.system causing malformed header
  • NetLogo BehaviorSpace - Measure runs using reporters
  • recyclerView does not call the onBindViewHolder when scroll in the view
  • How to add a column to a Pandas dataframe made of arrays of the n-preceding values of another column
  • How to extract text from Word files using C#?
  • How to check if every primary key value is being referenced as foreign key in another table
  • Sending data from AppleScript to FileMaker records
  • WinForms: two way TextBox problem
  • Function pointer “assignment from incompatible pointer type” only when using vararg ellipsis
  • Calling of Constructors in a Java
  • 0x202A in filename: Why?
  • Traverse Array and Display in markup
  • Transpose CSV data with awk (pivot transformation)
  • ExecuteAsync RestSharp to allow backgroundWorker CancellationPending c#
  • Acquiring multiple attributes from .xml file in c#
  • Why can't I rebase on to an ancestor of source changesets if on a different branch?
  • Why joiner is not used after Sequence generator or Update statergy
  • How to CLICK on IE download dialog box i.e.(Open, Save, Save As…)
  • File not found error Google Drive API
  • Authorize attributes not working in MVC 4
  • How can I remove ASP.NET Designer.cs files?
  • Busy indicator not showing up in wpf window [duplicate]
  • How to get NHibernate ISession to cache entity not retrieved by primary key
  • Android Heatmap on canvas or ImageView
  • Python/Django TangoWithDjango Models and Databases
  • java string with new operator and a literal
  • Net Present Value in Excel for Grouped Recurring CF