Use PHPs session_regenerte_id() instead of using (unreliable) mt_rand() function (#1486281)

release-0.6
thomascube 14 years ago
parent 6f6efa20d7
commit fb061aaece

@ -1,6 +1,7 @@
CHANGELOG Roundcube Webmail
===========================
- Get around unreliable rand() and mt_rand() in session ID generation (#1486281)
- Fix some emails are not shown using Cyrus IMAP (#1487820)
- Fix handling of mime-encoded words with non-integral number of octets in a word (#1487801)
- New config option for custom logo

@ -212,20 +212,8 @@ class rcube_session
$this->destroy(session_id());
$this->vars = false;
$randval = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
for ($random = '', $i=1; $i <= 32; $i++) {
$random .= substr($randval, mt_rand(0,(strlen($randval) - 1)), 1);
}
// use md5 value for id
$this->key = md5($random);
session_id($this->key);
$cookie = session_get_cookie_params();
$lifetime = $cookie['lifetime'] ? time() + $cookie['lifetime'] : 0;
rcmail::setcookie(session_name(), $this->key, $lifetime);
session_regenerate_id(false);
$this->key = session_id();
return true;
}

Loading…
Cancel
Save