From 1470b99d1facd07fcb46c0c4e46896d339f5a75a Mon Sep 17 00:00:00 2001
From: Andy Staudacher <andy.st@gmail.com>
Date: Sat, 30 Jan 2010 21:42:57 -0800
Subject: Protect REST login controller from brute force attacks too. And make
 the REST auth token less predictable by using a better source for randomness.

---
 modules/rest/helpers/rest.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'modules/rest/helpers')

diff --git a/modules/rest/helpers/rest.php b/modules/rest/helpers/rest.php
index 3883794a..b3f80a55 100644
--- a/modules/rest/helpers/rest.php
+++ b/modules/rest/helpers/rest.php
@@ -64,7 +64,7 @@ class rest_Core {
 
     if (!$key->loaded()) {
       $key->user_id = $user_id;
-      $key->access_key = md5(rand());
+      $key->access_key = md5(md5(uniqid(mt_rand(), true) . access::private_key()));
       $key->save();
     }
     return $key;
-- 
cgit v1.2.3