The docs for
Do not use for security related purposes (the string is not truly random)., maybe we should use
random_bytes() if it's available?
The best way imho is using
random_bytes(), but this will only work for PHP7+.
So if this is not a problem, you should use this polyfill (https://github.com/paragonie/random_compat) and than use
If you do not want to implement another dependency, you can do your own PHP7+ check and otherwise use
openssl_random_pseudo_bytes will be available everywhere. @diosmosis I think we can remove the content as in most cases it will use
random_int and the comment was probably never removed after updating the