We are moving our forum in GitHub Discussions. For questions about Phalcon v3/v4 you can visit here and for Phalcon v5 here.

Generating CSRF puts too much load

Has anyone encountered the situation in which using the CSRF code on a form increases the page loading time substantially? In my case, a page without any CSRF inputs loads in aprox. 0.4s. By adding (generating) a CSRF code, the loading time increases to 1.4s. More than this, adding a second CSRF input adds another second to the page loading time ... and so on.

Any ideas?

how many bytes are used to Phalcon\Security::getTokenKey and Phalcon\Security::getToken or setWorkFactor?

http://docs.phalcon.io/en/latest/reference/security.html#setting-up-the-component http://docs.phalcon.io/en/latest/api/Phalcon_Security.html


random bytes: 16 work factor: 8

Only by running getSaltBytes() the loading time jumped from 0.2s to values between 1.4s and 3.4s Also, the security component is the one registered automatically, as I did not do any special setup for it (only ran, for example, $this->security->getSaltBytes() in the controller).

I have to add that this is tested on a Windows7 version of PHP 5.3.6, having latest version of Phalcon (1.2.1)

One of the solutions I see is to use ISAAC secure random number generator: http://www.burtleburtle.net/bob/rand/isaacafa.html It is extremely fast.

ISAAC can be seeded during phalcon startup: on Windows php_win32_get_random_bytes() function can be used (mcrtypt uses as a substitute for /dev/urandom), on Linux/Mac we can use /dev/urandom and fall back to plain rand() if everything else fails.


Thanks Vladimir.

Since the app is intended for a Linux box, and only the development is done on Windows, I think I can cope with that.