Which one of these two choices provides better randomness?

Hi all,

I'm coding a simple PHP application that will store an user's session
id
as a cookie.
Since I would like to avoid dealing with the session id generation
features of PHP, I tried coming up with something quite simple.

At the beginning I thought about using a SHA-512 hash of a random
sequence of bytes.
This is the relevant code:

$randomSequence = mcrypt_create_iv(8, MCRYPT_DEV_URANDOM);
$id = hash('sha512', $randomSequence);

Now, I suppose that this is reasonably random.
At least for a site that doesn't store any financial or personal data
about its users.

In the hope of generating an even more random value, I came up with
this
code:

// Generate the random sequence
$randomSequence = mcrypt_create_iv(8,MCRYPT_DEV_URANDOM);
// Calculate the hash
$tmp = hash('sha512', $randomSequence);
// Append to the hash a timestamp and then calculate another hash
$tmp2 = hash('sha512', $tmp . microtime());
// Concatenate the two hashes
$tmp = $tmp . $tmp2;
// Get a random number between 0 and 72
$randomStart = mt_rand(0,72);
// The session id is a substring of $tmp.
// 200 characters long and starting from $randomStart
$id = substr($tmp, $randomStart, 200);

In the eyes of a person without the necessary knowledge on these
matters, just like me, the second method could be easily regarded
as "more random" than the first one.
But then again it might as well be very possible that I'm "removing
entropy" or something along these lines.

To avoid shooting myself in the feet I'd really like to hear your
opinion on which method I should follow.

Thanks for reading,
Luigi
.

Relevant Pages

  • Re: [PHP] secure alternative to HTTP_REFERER
    ... You could put a hash value into a hidden field on the form, and also store it in the session. ...
    (php.general)
  • Re: [PHP] One-page password-protected file
    ... In the script you store a hash of the password rather than the ... Can't you just use $_SESSION? ... exposing the password or the hash of the password in that regard. ...
    (php.general)
  • Re: Storing a datatable (or arraylist )on ASP.NET Session
    ... Perhaps your ArrayList store smth which can't be casted to object. ... If exactly that code u shown didn't work (emply arraylists) that I recomment to re-register asp.net 2.0 calling aspnet_regiis,exe - i ... Team blog: http://devkids.blogspot.com/ ... b> session variables is stored on web server's local sql database. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: LISP for web
    ... >>Ideas on how to store this information centrally for all of the app ... > ucw's form handling code (to make sure session ids are always ... > can deal with hardware failures an the app servers but this ...
    (comp.lang.lisp)
  • Re: Problem with asp.net app only allowing 1 user at a time
    ... from the client to the server), Application (an object that can store ... Now in your case you are reading and writing everything to the database, ... there is the Session object. ... To retrieve this you would do something like: ...
    (microsoft.public.dotnet.framework.aspnet)