For security tokens (session IDs, CSRF tokens, password‐reset links), use cryptographically secure random functions like random_bytes() or openssl_random_pseudo_bytes(), instead of predictable functions like rand() or mt_rand().
Common random functions are not suitable for security because they can produce predictable values. Predictable tokens allow attackers to guess session IDs or other sensitive tokens, compromising system security. Cryptographic generators ensure strong randomness.
Side-by-side examples engineers can pattern-match during review.
<?php
$token = mt_rand();
?><?php
$token = bin2hex(random_bytes(16));
?><?php
$token = mt_rand();
?><?php
$token = bin2hex(random_bytes(16));
?>From the same buckets as this rule.