diff --git a/api/cora/session.php b/api/cora/session.php
index 929b609..c30018e 100644
--- a/api/cora/session.php
+++ b/api/cora/session.php
@@ -250,7 +250,7 @@ public function get() {
    * @return string The generated session key.
    */
   private function generate_session_key() {
-    return strtolower(sha1(uniqid(mt_rand(), true)));
+    return bin2hex(random_bytes(20));
   }
 
   /**
diff --git a/api/user.php b/api/user.php
index 66e5d29..d937ef9 100644
--- a/api/user.php
+++ b/api/user.php
@@ -55,8 +55,8 @@ public function create($attributes) {
    * without having to spend the time creating an actual user.
    */
   public function create_anonymous_user() {
-    $username = strtolower(sha1(uniqid(mt_rand(), true)));
-    $password = strtolower(sha1(uniqid(mt_rand(), true)));
+    $username = bin2hex(random_bytes(20));
+    $password = bin2hex(random_bytes(20));
     $user = $this->create([
       'username' => $username,
       'password' => $password,