PHP srand problems with suhosin

Warning: This blogpost has been posted over two years ago. That is a long time in development-world! The story here may not be relevant, complete or secure. Code might not be complete or obsoleted, and even my current vision might have (completely) changed on the subject. So please do read further, but use it with caution.
Posted on 13 Dec 2010
Tagged with: [ PHP ]  [ rand ]  [ suhosin

Today I stumbled across an odd problem which took me about an hour to figure out what was going on. It had to do with mt_srand(), where it looked like it didn’t work properly. I needed a repeatable sequence of random numbers (which is EXACTLY what the Mersenne Twister produces) so I used mt_srand() with a fixed number (for testing purposes) and tried to see if the same sequence of random values were generated by mt_rand()..  It didn’t…

It turns out that the problem is the suhosin-patch, which comes standard with the Debian php install. It actually ignores any mt_srand() or srand() calls you make and initializes the randomizer by itself. The good thing about that is you don’t have to worry about seeding the algorithm (but then again, you really shouldn’t worry about it anyway) and it’s a great way to keep yourself shooting in the foot by issues a fixed number to srand() which 9 out of 10 times is NOT what you want. However, there ARE times you need to produce the same random string over and over again for whatever reason (in my case, for benchmarking multiple algorithms which need the same sequence of random data).

Fixing is very easy: to change suhosin’s behaviour you have to add this to your php.ini, or htaccess file:

suhosin.srand.ignore = Off
suhosin.mt_srand.ignore = Off

and after a restart your pseudo random sequencer works just as intended. Make sure you place this inside your /etc/php5/cli/php.ini as well if you are using srand() or mt_srand() on the command line as well.

debian-jth:/# php -r "srand(1234); print rand().' '.rand().' '.rand().PHP_EOL;"
132944649 364831264 1826128210
debian-jth:/# php -r "srand(1234); print rand().' '.rand().' '.rand().PHP_EOL;"
1642195638 1487932884 221171297
debian-jth:/# php -r "srand(1234); print rand().' '.rand().' '.rand().PHP_EOL;"
64520007 504830771 1911592427 
debian-jth:/# php --define suhosin.srand.ignore=off -r "srand(1234); print rand().' '.rand().' '.rand().PHP_EOL;"
1696046501 327732573 293947485
debian-jth:/# php --define suhosin.srand.ignore=off -r "srand(1234); print rand().' '.rand().' '.rand().PHP_EOL;"
1696046501 327732573 293947485
debian-jth:/# php --define suhosin.srand.ignore=off -r "srand(1234); print rand().' '.rand().' '.rand().PHP_EOL;"
1696046501 327732573 293947485
debian-jth:/#