Changeset fb061aa in github

Timestamp:

Mar 8, 2011 3:07:43 AM (2 years ago)

Author:

thomascube <thomas@…>

Branches:

master, HEAD, courier-fix, dev-browser-capabilities, pdo, release-0.6, release-0.7, release-0.8

Children:

c294eaa

Parents:

6f6efa2

Message:

Use PHPs session_regenerte_id() instead of using (unreliable) mt_rand() function (#1486281)

Files:

• CHANGELOG (modified) (1 diff)
• program/include/rcube_session.php (modified) (1 diff)

CHANGELOG

@@ -2 +2 @@
 ===========================
 
+- Get around unreliable rand() and mt_rand() in session ID generation (#1486281)
 - Fix some emails are not shown using Cyrus IMAP (#1487820)
 - Fix handling of mime-encoded words with non-integral number of octets in a word (#1487801)

program/include/rcube_session.php

@@ -213 +213 @@
     $this->vars = false;
 
-    $randval = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
-
-    for ($random = '', $i=1; $i <= 32; $i++) {
-      $random .= substr($randval, mt_rand(0,(strlen($randval) - 1)), 1);
-    }
-
-    // use md5 value for id
-    $this->key = md5($random);
-    session_id($this->key);
-
-    $cookie   = session_get_cookie_params();
-    $lifetime = $cookie['lifetime'] ? time() + $cookie['lifetime'] : 0;
-
-    rcmail::setcookie(session_name(), $this->key, $lifetime);
+    session_regenerate_id(false);
+    $this->key = session_id();
 
     return true;