Building a CHAP Login System: Coding Server-Side Random Seeds

As a matter of fact, the random seed generator written to work with the prior example is pretty poor to include in real web applications. It’s precisely for that reason that I’ll define, first, a PHP function aimed specifically at generating true random strings, then another session-wrapping function, tasked with registering session variables, and finally a third function for obtaining their values. The combination of these functions will be the core engine for generating random challenge values, used at a later time by the JavaScript program.

Having provided an introduction to these functions, here is the definition for the “getRandomString()” function:

function getRandomString($length=40){

  if(!is_int($length)||$length<1){

    trigger_error('Invalid length for random string');

    exit();

  }

  $chars=
"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";

  $randstring='';

  $maxvalue=strlen($chars)-1;

  for($i=0;$i<$length;$i++){

    $randstring.=substr($chars,rand(0,$maxvalue),1);

  }

  return $randstring;

}

Essentially, what this function does is generate a random string of a given length, which will be used as the challenge string sent by the server. At first glance, you can see that its logic is fairly simple to grasp, and of course provides the required flexibility to adjust the length of random strings to specific values. For this case, I’ve set up a default string length of 40 characters.

Now, let’s pay attention to the next function, “setChallengeVar()”, which acts as a wrapper for registering session variables and assigning random strings to them. It looks like this:

function setChallengeVar($name='challenge'){

  if(!is_string($name)||!$name){

    trigger_error('Invalid variable name');

    exit();

  }

  session_start();

  // register session variable

  $_SESSION[$name]=getRandomString();

}

With reference to the above function, it merely registers a new session variable specified by the $name key and assigns to it the random string returned by the “getRandomString()” function. Since the function is extremely simple, I won’t stop you long with boring details. Instead, I’ll show the next “getSessionVar()” function, which returns a specified session variable. Its source code is the following:

function getChallengeVar($name='challenge'){

  if(!$_SESSION[$name]){

    trigger_error('Invalid variable name');

    exit();

  }

  return $_SESSION[$name];

}

Now, I’m able to obtain a server-side challenge string, by invoking the “setChallengeVar()” function, like this:

setChallengeVar();

This simple one-liner registers a “challenge” session variable, and populates it with a 40-digit random string, which will be used as the challenge value by the JavaScript code.

The next thing to explain is how the JavaScript program integrates the power of the above-listed functions, in order to boost the login system.