From 0f994df357c3aa9d7a29cca711cb5f6d29a4b614 Mon Sep 17 00:00:00 2001 From: Lukas Fleischer Date: Sat, 25 Jun 2011 11:39:19 +0200 Subject: Simplify session ID generation There was too much voodoo going on in new_sid(). Just use uniqid() with a random seed and the optional entropy parameter to generate MD5 input. Use the remote IP address as a salt to reduce the chance of two clients getting the same ID if they login at exactly the same time. Thanks-to: Florian Pritz Signed-off-by: Lukas Fleischer --- web/lib/aur.inc.php | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php index 73f8fd3..00a8c8c 100644 --- a/web/lib/aur.inc.php +++ b/web/lib/aur.inc.php @@ -91,16 +91,7 @@ function make_seed() { # generate a (hopefully) unique session id # function new_sid() { - mt_srand(make_seed()); - $ts = time(); - $pid = getmypid(); - - $rand_num = mt_rand(); - mt_srand(make_seed()); - $rand_str = substr(md5(mt_rand()),2, 20); - - $id = $rand_str . strtolower(md5($ts.$pid)) . $rand_num; - return strtoupper(md5($id)); + return md5($_SERVER['REMOTE_ADDR'] . uniqid(mt_rand(), true)); } -- cgit v1.2.3-70-g09d2