Fix #11738: Use an ASCII compatible session key

Commit 1416aaf deprecated $g_session_key in favour of a unique key automatically derived from $g_crypto_master_salt. However a bug existed in this commit whereby the output of the hash() function was raw data, thus leading to failure of PHP sessions. We need to ensure that the session key is ASCII compatible.
mantisbt · Dec 25, 2010 · e487d70 · e487d70
1 parent 1416aaf
commit e487d70
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/core/session_api.php b/core/session_api.php
@@ -102,7 +102,7 @@ function __construct( $p_session_id=null ) {
 		global $g_cookie_secure_flag_enabled;
 		global $g_cookie_httponly_flag_enabled;
 
-		$this->key = hash( 'whirlpool', 'session_key' . config_get_global( 'crypto_master_salt' ), true );
+		$this->key = hash( 'whirlpool', 'session_key' . config_get_global( 'crypto_master_salt' ), false );
 
 		# Save session information where specified or with PHP's default
 		$t_session_save_path = config_get_global( 'session_save_path' );