Fixed a couple of spots where random values were not using cryptographically-secure methods.

2025-05-24 02:14:03 -04:00 · 2022-01-08 15:48:32 -05:00 · 2022-01-08 15:48:32 -05:00 · 14bed9c570
commit 14bed9c570
parent ee6a196a72
2 changed files with 3 additions and 3 deletions
--- a/api/cora/session.php
+++ b/api/cora/session.php
@ -250,7 +250,7 @@ final class session {
   * @return string The generated session key.
   */
  private function generate_session_key() {
-    return strtolower(sha1(uniqid(mt_rand(), true)));
+    return bin2hex(random_bytes(20));
  }

  /**
--- a/api/user.php
+++ b/api/user.php
@ -55,8 +55,8 @@ class user extends cora\crud {
   * without having to spend the time creating an actual user.
   */
  public function create_anonymous_user() {
-    $username = strtolower(sha1(uniqid(mt_rand(), true)));
-    $password = strtolower(sha1(uniqid(mt_rand(), true)));
+    $username = bin2hex(random_bytes(20));
+    $password = bin2hex(random_bytes(20));
    $user = $this->create([
      'username' => $username,
      'password' => $password,