Has anyone encountered the situation in which using the CSRF code on a form increases the page loading time substantially? In my case, a page without any CSRF inputs loads in aprox. 0.4s. By adding (generating) a CSRF code, the loading time increases to 1.4s. More than this, adding a second CSRF input adds another second to the page loading time ... and so on.
Any ideas?
how many bytes are used to Phalcon\Security::getTokenKey and Phalcon\Security::getToken or setWorkFactor?
https://docs.phalcon.io/en/latest/reference/security.html#setting-up-the-component https://docs.phalcon.io/en/latest/api/Phalcon_Security.html
random bytes: 16 work factor: 8
Only by running getSaltBytes() the loading time jumped from 0.2s to values between 1.4s and 3.4s Also, the security component is the one registered automatically, as I did not do any special setup for it (only ran, for example, $this->security->getSaltBytes() in the controller).
I have to add that this is tested on a Windows7 version of PHP 5.3.6, having latest version of Phalcon (1.2.1)
This seems to be a known issue: https://stackoverflow.com/questions/1940168/openssl-random-pseudo-bytes-is-slow-php
One of the solutions I see is to use ISAAC secure random number generator: https://www.burtleburtle.net/bob/rand/isaacafa.html It is extremely fast.
ISAAC can be seeded during phalcon startup: on Windows php_win32_get_random_bytes() function can be used (mcrtypt uses as a substitute for /dev/urandom), on Linux/Mac we can use /dev/urandom and fall back to plain rand() if everything else fails.
Thanks Vladimir.
Since the app is intended for a Linux box, and only the development is done on Windows, I think I can cope with that.
