# Session Token Prediction via Weak Random Number Generation

Language: Python
Severity: Critical
CWE: CWE-338

## Source
10

## Flow
10-11

## Sink
11

## Vulnerable Code
```python
import random
import time
from flask import Flask, session

app = Flask(__name__)

@app.route('/iot/device/provision')
def provision_iot_device():
    device_id = request.args.get('device_id')
    random.seed(int(time.time()))
    device_token = ''.join([str(random.randint(0, 9)) for _ in range(24)])
    session['iot_auth_token'] = device_token
    return {'device_id': device_id, 'auth_token': device_token, 'expires': 3600}
```

## Explanation

The code uses Python's random module seeded with time.time() to generate authentication tokens for IoT devices. Since time.time() is predictable and random is not cryptographically secure, attackers can predict token values by knowing approximate provisioning time and brute-forcing the small time window, allowing unauthorized device impersonation.

## Remediation

The fix replaces the insecure random module (seeded with predictable time.time()) with Python's secrets module, which uses a cryptographically secure random number generator (CSPRNG). The token is now generated using secrets.token_urlsafe(32), producing a 256-bit token with high entropy that is resistant to prediction attacks. Additionally, the Flask secret_key is set using secrets.token_hex(32) to ensure session integrity.

## Secure Code
```python
import secrets
import string
from flask import Flask, session, request

app = Flask(__name__)
app.secret_key = secrets.token_hex(32)

@app.route('/iot/device/provision')
def provision_iot_device():
    device_id = request.args.get('device_id')
    device_token = secrets.token_urlsafe(32)
    session['iot_auth_token'] = device_token
    return {'device_id': device_id, 'auth_token': device_token, 'expires': 3600}
```
