Microtime and date object

#1

Hello, i need someone to help me understand microtime using php. From what i understand, microtime is a float and the use of it requires a 64bit system - a 64 bit server not client, right? so i can implement microstime on a 64bit server and a 32bit client has no issues, right? authors of material are not being clear about this. just saying it requires a 64 bit system is misleading. i think it should be stated as “use of microtime requires that the app system must be a 64bit system, although clients do not run the code so they can 32bit or 64 bit.” I hate bad authors that use vague statements or deliberately ambiguous statements.

anyway, since microtime seems to be complex to handle, i also notice that the date object offers milliseconds and even nanoseconds! this is sweet but i am a bit confused about how to use this in a timing situation. For example, i’ve followed the guidlines for a csrf token offered to me by a security expert. All is good/my script is working well, however, i noticed when testing the time that if i submit the form within the second that the token expires, then the form is still accepted. This is due to milliseconds which is obviously a security threat. Let’s face it, a hacker has ability to execute within nanoseconds, thus i now wonder why this security expert thinks that this token format is secure. Regardless of this matter, i would like to implement a nanosecond timestamp but this seems far too complex for microtime() function.

so, will someone offer some advice about using the datetime object for nanosecond timestamp comparisons? please. I still have trouble with this date object, interval, difference code. For some reason, i always get string errors.

#2

well i guess the gettimeofday operation is no good:

https://blog.habets.se/2010/09/gettimeofday-should-never-be-used-to-measure-time.html

i’m really surprised that tech industry isn’t measuring nanosecond activity with dates and other authentication creds. seems like a no-brainer but programmatic support is missing. i’ll have to consult an expert.

Thanks.

#3

aha! i found a solution: hrtime() if you are using PHP 7.3
https://php.net/manual/en/function.hrtime.php

this is great! along with a date stamp, this is better security.

#4

As you need a timeout that’s large enough to let the user interact with the form, and you set the timeout by yourself anyway, i do not see how any nanosecond delay would be a threat here.

Also as PHP is completely serverside, there’s (barely) nothing client-related functionality within the manual.