From c4f5d43aff9ff52cf9b0062ac02d22aa49f8d9fa Mon Sep 17 00:00:00 2001 From: thomasb Date: Tue, 8 Mar 2011 08:07:43 +0000 Subject: Use PHPs session_regenerte_id() instead of using (unreliable) mt_rand() function (#1486281) git-svn-id: https://svn.roundcube.net/trunk@4598 208e9e7b-5314-0410-a742-e7e81cd9613c --- roundcubemail/CHANGELOG | 1 + roundcubemail/program/include/rcube_session.php | 16 ++-------------- 2 files changed, 3 insertions(+), 14 deletions(-) diff --git a/roundcubemail/CHANGELOG b/roundcubemail/CHANGELOG index 90ce0ab6a..1336e96fd 100644 --- a/roundcubemail/CHANGELOG +++ b/roundcubemail/CHANGELOG @@ -1,6 +1,7 @@ CHANGELOG Roundcube Webmail =========================== +- Get around unreliable rand() and mt_rand() in session ID generation (#1486281) - Fix some emails are not shown using Cyrus IMAP (#1487820) - Fix handling of mime-encoded words with non-integral number of octets in a word (#1487801) - New config option for custom logo diff --git a/roundcubemail/program/include/rcube_session.php b/roundcubemail/program/include/rcube_session.php index 2bd663c83..0fc444256 100644 --- a/roundcubemail/program/include/rcube_session.php +++ b/roundcubemail/program/include/rcube_session.php @@ -212,20 +212,8 @@ class rcube_session $this->destroy(session_id()); $this->vars = false; - $randval = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'; - - for ($random = '', $i=1; $i <= 32; $i++) { - $random .= substr($randval, mt_rand(0,(strlen($randval) - 1)), 1); - } - - // use md5 value for id - $this->key = md5($random); - session_id($this->key); - - $cookie = session_get_cookie_params(); - $lifetime = $cookie['lifetime'] ? time() + $cookie['lifetime'] : 0; - - rcmail::setcookie(session_name(), $this->key, $lifetime); + session_regenerate_id(false); + $this->key = session_id(); return true; } -- cgit v1.2.3