Generating cryptographically secure tokens

In PHP, you can use the built-in function random_bytes() to generate cryptographically secure random bytes, which can then be converted into a token. For example:

<?php

$bytes = random_bytes(32); // 32 bytes = 256 bits
$token = bin2hex($bytes);

You can also use a library such as the paragonie/random_compat library which provides a polyfill for the random_bytes() function for older versions of PHP.

Alternatively, you can use the openssl_random_pseudo_bytes() function which also generates cryptographically secure random bytes, but it uses OpenSSL library and it's a good option if you are using an older version of PHP that does not support random_bytes().

<?php

$bytes = openssl_random_pseudo_bytes(32);
$token = bin2hex($bytes);

Both random_bytes() and openssl_random_pseudo_bytes() functions return a string with random bytes that can be used as a token.

It's important to note that you should use a cryptographically secure random number generator (CSPRNG) to generate tokens. It's also important to use a sufficiently large number of random bytes, to increase the entropy of the generated tokens.