Make brute force attacks harder by re-generating security token on every failed login (#1490549)

Or more precissely use the same we did in git-master, i.e. do not base the token on
session ID, but use random bytes instead.

CHANGELOG

@@ -2,6 +2,7 @@ CHANGELOG Roundcube Webmail
 ===========================
 
 - Fix so Installer requires PHP5
+- Make brute force attacks harder by re-generating security token on every failed login (#1490549)
 
 RELEASE 1.1.3
 -------------

program/lib/Roundcube/rcube.php

@@ -1027,15 +1027,14 @@ class rcube
      */
     public function get_request_token()
     {
-        $sess_id = $_COOKIE[ini_get('session.name')];
-        if (!$sess_id) {
-            $sess_id = session_id();
-        }
+        if (empty($_SESSION['request_token'])) {
+            $plugin = $this->plugins->exec_hook('request_token', array(
+                'value' => rcube_utils::random_bytes(32)));
 
-        $plugin = $this->plugins->exec_hook('request_token', array(
-            'value' => md5('RT' . $this->get_user_id() . $this->config->get('des_key') . $sess_id)));
+            $_SESSION['request_token'] = $plugin['value'];
+        }
 
-        return $plugin['value'];
+        return $_SESSION['request_token'];
     }