The server method
protected function createRandomBigIntegerInRange() just calls
protected function getSecureRandom($bits = 64) passing no arguments. That is actually a typo as it is 64 bytes which gives a 512 bit random number. RFC 5054 says that the minimum bits should be 256 and that the number should be in the range 1 to N. If N is 1024 then we are using twice the minimum bits bits but half the recommended bits of the RFC.
It is really cheap to generate a random number of bit length equal to the bit length of N (typically >=1024 bits). Given that PHP installs have a history of not quite so good random numbers using the full bit length is a good idea. Then to put it into the range recommended by RFC 5054 which is
[1,N) we can simply
mod(N) the random and loop if it is zero.