Fixed a couple of spots where random values were not using cryptograp…

…hically-secure methods.
beestat · Jan 8, 2022 · 14bed9c · 14bed9c
1 parent ee6a196
commit 14bed9c
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 3 deletions.
diff --git a/api/cora/session.php b/api/cora/session.php
@@ -250,7 +250,7 @@ public function get() {
    * @return string The generated session key.
    */
   private function generate_session_key() {
-    return strtolower(sha1(uniqid(mt_rand(), true)));
+    return bin2hex(random_bytes(20));
   }
 
   /**

diff --git a/api/user.php b/api/user.php
@@ -55,8 +55,8 @@ public function create($attributes) {
    * without having to spend the time creating an actual user.
    */
   public function create_anonymous_user() {
-    $username = strtolower(sha1(uniqid(mt_rand(), true)));
-    $password = strtolower(sha1(uniqid(mt_rand(), true)));
+    $username = bin2hex(random_bytes(20));
+    $password = bin2hex(random_bytes(20));
     $user = $this->create([
       'username' => $username,
       'password' => $password,