Skip to content

Commit f20970d

Browse files
committed
Use phpseclib's Crypt::Random to generate CSRF token
Signed-off-by: Michal Čihař <michal@cihar.com>
1 parent dbb2673 commit f20970d

File tree

1 file changed

+4
-2
lines changed

1 file changed

+4
-2
lines changed

Diff for: libraries/session.inc.php

+4-2
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,8 @@
1313
exit;
1414
}
1515

16+
require PHPSECLIB_INC_DIR . '/Crypt/Random.php';
17+
1618
// verify if PHP supports session, die if it does not
1719

1820
if (!@function_exists('session_name')) {
@@ -111,7 +113,7 @@
111113
* (we use "space PMA_token space" to prevent overwriting)
112114
*/
113115
if (! isset($_SESSION[' PMA_token '])) {
114-
$_SESSION[' PMA_token '] = md5(uniqid(rand(), true));
116+
$_SESSION[' PMA_token '] = bin2hex(phpseclib\Crypt\Random::string(16));
115117
}
116118

117119
/**
@@ -130,5 +132,5 @@ function PMA_secureSession()
130132
) {
131133
session_regenerate_id(true);
132134
}
133-
$_SESSION[' PMA_token '] = md5(uniqid(rand(), true));
135+
$_SESSION[' PMA_token '] = bin2hex(phpseclib\Crypt\Random::string(16));
134136
}

0 commit comments

Comments
 (0)