I'm using Adam Griffiths's Authentication Library for CodeIgniter and I'm tweaking the usermodel.

I came across a generate function that he uses to generate tokens.

His preferred approach is to reference a value from random.org but I considered that superfluous. I'm using his fall back approach of randomly generating a 20 character long string:

$length = 20;
$characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
$token = '';    
for ($i = 0; $i < $length; $i++) {
 $token .= $characters[mt_rand(0, strlen($characters)-1)];
}

He then hashes this token using a salt (I'm combing code from different functions)

sha1($this->CI->config->item('encryption_key').$str);

I was wondering if theres any reason to to run the token through the salted hash?

I've read that simply randomly generating strings was a naive way of making random passwords but is the sh1 hash and salt necessary?

Note: I got my encryption_key from https://www.grc.com/passwords.htm (63 random alpha-numeric)