Wamp session IDs are insecure

[rizqidjamaluddin]

WampConnection classes use uniqid() to generate an identifier that is later used by the user. This function gives fairly predictable strings (there's even a warning on the official PHP docs) and shouldn't be used for this purpose.

Preferably session identifiers would be generated using something like openssl_random_pseudo_bytes or another safer PRNG.

[cboden]

The session id is only used as a unique identifier. It has no security implications.

[rizqidjamaluddin]

I've worked with business logic that uses session IDs for authentication/authorization purposes, usually for external purposes (e.g. an HTTP-based mechanism to authenticate a websocket session, using the ID). The spec says this is part of the intended purpose of session IDs. Would it not make sense to use a stronger random string by default?

[cboden]

Ah, I stand corrected. Could I interest you in opening a pull request with a more secure ID generator?

[rizqidjamaluddin]

Something similar to Laravel's implementation maybe? The concern I have is that there are reports of openssl_random_pseudo_bytes being slow, which could pose serious problems on high demand servers running in those situations. If it's true that this was fixed in 5.3.4 - if ratchet requires 5.3.9 (as per the composer.json) this may be a concern.

[cboden]

👍 looks good

[carnage]

You could make use of this library: https://github.com/ircmaxell/RandomLib it's fairly flexable for creating good random numbers vs fast ones. Also by using an external lib, you can benefit from security/feature patches when they arrive.

[mbonneau]

This is what we use in Thruway:
It generates random session ids in a range that fits inside of most languages' integer representations.

    /**
     * Generate a unique id for sessions and requests
     * @return mixed
     */
    public static function getUniqueId()
    {
        $filter      = 0x1fffffffffffff; // 53 bits
        $randomBytes = openssl_random_pseudo_bytes(8);
        list($high, $low) = array_values(unpack('N2', $randomBytes));
        return abs(($high << 32 | $low) & $filter);
    }

[PaulRotmann]

Hey! Thanks for reporting this issue 🙏

We're giving Ratchet some much-needed love and attention! As part of our issue cleanup initiative (#1100), we're reviewing security-related concerns like this one.

You're absolutely right about the security implications of uniqid() for session generation. While this doesn't present a security vulnerability in Ratchet's current implementation since the IDs aren't used for security-critical purposes, you're correct that uniqid() is not cryptographically secure and shouldn't be used for authentication purposes in general applications.

We're considering implementing a more secure random number generator that would use cryptographically secure functions when available, with fallback to the current mechanism. This would improve security for users who need it while maintaining backward compatibility.

We'll keep this issue open to track this security improvement.

If you want to support Ratchet, please consider sponsoring our work! ❤️