Using srand(time())
to generate a token for a password reset (or for a CSRF token) is bad because the token can be predictable.
I read these:
But I don't understand how the token can be predictable. I understand that if in one second I reset my password many times I get the same token. I have the following code:
<?php
srand(time());
$reset_password_token = rand(444444444444,999999999999);
?>
If I reset my password many times in one seconds, I know I get the same token but how can an attacker exploit this?