Use phpseclib's Crypt::Random to generate CSRF token

Signed-off-by: Michal Čihař <michal@cihar.com>
phpmyadmin · Jan 19, 2016 · f20970d · f20970d
1 parent dbb2673
commit f20970d
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/libraries/session.inc.php b/libraries/session.inc.php
@@ -13,6 +13,8 @@
     exit;
 }
 
+require PHPSECLIB_INC_DIR . '/Crypt/Random.php';
+
 // verify if PHP supports session, die if it does not
 
 if (!@function_exists('session_name')) {
@@ -111,7 +113,7 @@
  * (we use "space PMA_token space" to prevent overwriting)
  */
 if (! isset($_SESSION[' PMA_token '])) {
-    $_SESSION[' PMA_token '] = md5(uniqid(rand(), true));
+    $_SESSION[' PMA_token '] = bin2hex(phpseclib\Crypt\Random::string(16));
 }
 
 /**
@@ -130,5 +132,5 @@ function PMA_secureSession()
     ) {
         session_regenerate_id(true);
     }
-    $_SESSION[' PMA_token '] = md5(uniqid(rand(), true));
+    $_SESSION[' PMA_token '] = bin2hex(phpseclib\Crypt\Random::string(16));
 }