Generating CSRF puts too much load

Has anyone encountered the situation in which using the CSRF code on a form increases the page loading time substantially? In my case, a page without any CSRF inputs loads in aprox. 0.4s. By adding (generating) a CSRF code, the loading time increases to 1.4s. More than this, adding a second CSRF input adds another second to the page loading time ... and so on.

Any ideas?



3.5k

random bytes: 16 work factor: 8

Only by running getSaltBytes() the loading time jumped from 0.2s to values between 1.4s and 3.4s Also, the security component is the one registered automatically, as I did not do any special setup for it (only ran, for example, $this->security->getSaltBytes() in the controller).

I have to add that this is tested on a Windows7 version of PHP 5.3.6, having latest version of Phalcon (1.2.1)

One of the solutions I see is to use ISAAC secure random number generator: http://www.burtleburtle.net/bob/rand/isaacafa.html It is extremely fast.

ISAAC can be seeded during phalcon startup: on Windows php_win32_get_random_bytes() function can be used (mcrtypt uses as a substitute for /dev/urandom), on Linux/Mac we can use /dev/urandom and fall back to plain rand() if everything else fails.



3.5k

Thanks Vladimir.

Since the app is intended for a Linux box, and only the development is done on Windows, I think I can cope with that.