Fix #6103

Author: zsturgess

components/security/secure_tools.rst

@@ -1,5 +1,5 @@
-Securely Comparing Strings and Generating Random Numbers
-========================================================
+Securely Generating Random Values 
+=================================
 
 The Symfony Security component comes with a collection of nice utilities
 related to security. These utilities are used by Symfony, but you should
@@ -21,45 +21,41 @@ algorithm; you can use the same strategy in your own code thanks to the
     // is some known string (e.g. password) equal to some user input?
     $bool = StringUtils::equals($knownString, $userInput);
 
-Generating a Secure random Number
+Generating a Secure Random String
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Whenever you need to generate a secure random number, you are highly
-encouraged to use the Symfony
-:class:`Symfony\\Component\\Security\\Core\\Util\\SecureRandom` class::
+Whenever you need to generate a secure random string, you are highly
+encouraged to use the 
+:phpfunction:`random_bytes` function::
 
-    use Symfony\Component\Security\Core\Util\SecureRandom;
+    $random = random_bytes(10);
 
-    $generator = new SecureRandom();
-    $random = $generator->nextBytes(10);
+The function returns a random string, suitable for cryptographic use, of
+the number bytes passed as an argument (10 in the above example).
 
-The
-:method:`Symfony\\Component\\Security\\Core\\Util\\SecureRandom::nextBytes`
-method returns a random string composed of the number of characters passed as
-an argument (10 in the above example).
+.. tip::
 
-The SecureRandom class works better when OpenSSL is installed. But when it's
-not available, it falls back to an internal algorithm, which needs a seed file
-to work correctly. Just pass a file name to enable it::
+    The ``random_bytes()`` function returns a binary string which may contain the
+    ``\0`` character. This can cause trouble in several common scenarios, such
+    as storing this value in a database or including it as part of the URL. The
+    solution is to encode or hash the value returned by ``random_bytes()`` (to do that, you
+    can use a simple ``base64_encode()`` PHP function).
 
-    use Symfony\Component\Security\Core\Util\SecureRandom;
+Generating a Secure Random Number
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-    $generator = new SecureRandom('/some/path/to/store/the/seed.txt');
+If you need to generate a cryptographically secure random integer, you should
+use the
+:phpfunction:`random_int` function::
 
-    $random = $generator->nextBytes(10);
-    $hashedRandom = md5($random); // see tip below
+    $random = random_int(1, 10);
 
 .. note::
 
-    If you're using the Symfony Framework, you can get a secure random number
-    generator via the ``security.secure_random`` service.
-
-.. tip::
-
-    The ``nextBytes()`` method returns a binary string which may contain the
-    ``\0`` character. This can cause trouble in several common scenarios, such
-    as storing this value in a database or including it as part of the URL. The
-    solution is to hash the value returned by ``nextBytes()`` (to do that, you
-    can use a simple ``md5()`` PHP function).
+    PHP 7 and up provide the ``random_bytes()`` and ``random_int()`` functions natively,
+    for older versions of PHP a polyfill is provided by the `Symfony Polyfill Component`_
+    and the `paragonie/random_compat package`_.
 
 .. _`Timing attack`: https://en.wikipedia.org/wiki/Timing_attack
+.. _`Symfony Polyfill Component`: https://github.com/symfony/polyfill
+.. _`paragonie/random_compat package`: https://github.com/paragonie/random_compat