Cover of the book Symfony 5: The Fast Track

Symfony 5: The Fast Track is the best book to learn modern Symfony development, from zero to production. +300 pages showcasing Symfony with Docker, APIs, queues & async tasks, Webpack, SPAs, etc.

New in Symfony 2.2: Security Utilities

Warning: This post is about an unsupported Symfony version. Some of this information may be out of date. Read the most recent Symfony Docs.

Contributed by
Fabien Potencier
in #4763.

As of Symfony 2.2, we have refactored some security utilities so that you can use them in your own code. These utilities are available in the Symfony\Component\Security\Core\Util namespace.

Generating a secure Random Number

If you need to generate a secure random number, you'd better rely on a strong implementation. Symfony provides one:

1
2
3
4
use Symfony\Component\Security\Core\Util\SecureRandom;

$generator = new SecureRandom();
$random = $generator->nextBytes(10);

The nextBytes() methods returns a random string composed of the number of characters passed as an argument (10 in the above example).

Comparing Strings

Timing attacks are not that well-known, but still, Symfony has protection for them. In Symfony 2.0 and 2.1, this protection was applied to password comparisons done in the Security bundle, but as of Symfony 2.2, it is also available to the developer:

1
2
3
4
use Symfony\Component\Security\Core\Util\StringUtils;

// is password1 equals to password2?
$bool = StringUtils::equals($password1, $password2);

Want to learn more? Have a look at the dedicated documentation.

Help the Symfony project!

As with any Open-Source project, contributing code or documentation is the most common way to help, but we also have a wide range of sponsoring opportunities.

Comments

Useful !
Nice. And really appreciate these frequent updates.
Nevertheless we can get the password length with a timing attack.

Comments are closed.

To ensure that comments stay relevant, they are closed for old posts.