diff options
author | Dries Buytaert <dries@buytaert.net> | 2010-05-01 08:12:23 +0000 |
---|---|---|
committer | Dries Buytaert <dries@buytaert.net> | 2010-05-01 08:12:23 +0000 |
commit | 71713081a2b79b0baa024742cdbb4af536f77f4b (patch) | |
tree | e9bc0d309856beb05a6fae67fdbdd75c59ccef9f /includes/session.inc | |
parent | 2a2f4cc0be547f515ccd4212e9aeca7765a4968b (diff) | |
download | brdo-71713081a2b79b0baa024742cdbb4af536f77f4b.tar.gz brdo-71713081a2b79b0baa024742cdbb4af536f77f4b.tar.bz2 |
- Patch #723802 by pwolanin, grendzy: convert to sha-256 and hmac from md5 and sha1.
Diffstat (limited to 'includes/session.inc')
-rw-r--r-- | includes/session.inc | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/includes/session.inc b/includes/session.inc index 7dec4464d..67c52e6ef 100644 --- a/includes/session.inc +++ b/includes/session.inc @@ -206,7 +206,10 @@ function drupal_session_initialize() { // processes (like drupal_get_token()) needs to know the future // session ID in advance. $user = drupal_anonymous_user(); - session_id(md5(uniqid('', TRUE))); + // Less random sessions (which are much faster to generate) are used for + // anonymous users than are generated in drupal_session_regenerate() when + // a user becomes authenticated. + session_id(drupal_hash_base64(uniqid(mt_rand(), TRUE))); } date_default_timezone_set(drupal_get_user_timezone()); } @@ -284,7 +287,7 @@ function drupal_session_regenerate() { if ($is_https && variable_get('https', FALSE)) { $insecure_session_name = substr(session_name(), 1); $params = session_get_cookie_params(); - $session_id = md5(uniqid(mt_rand(), TRUE)); + $session_id = drupal_hash_base64(uniqid(mt_rand(), TRUE) . drupal_random_bytes(55)); setcookie($insecure_session_name, $session_id, REQUEST_TIME + $params['lifetime'], $params['path'], $params['domain'], FALSE, $params['httponly']); $_COOKIE[$insecure_session_name] = $session_id; } |