see #523 - improve randomness when creating the PFA_token field; repo…

…rted by @michaellrowley via huntr.dev.

functions.inc.php

@@ -108,7 +108,8 @@ function init_session($username, $is_admin = false)
     $_SESSION['sessid']['roles'] = array();
     $_SESSION['sessid']['roles'][] = $is_admin ? 'admin' : 'user';
     $_SESSION['sessid']['username'] = $username;
-    $_SESSION['PFA_token'] = md5(uniqid("", true));
+
+    $_SESSION['PFA_token'] = md5(random_bytes(8) . uniqid('pfa', true));
 
     return $status;
 }

public/users/login.php

@@ -70,8 +70,7 @@
 if ($error) {
     flash_error($error);
 }
-
-$_SESSION['PFA_token'] = md5(uniqid('pfa'  . rand(), true));
+$_SESSION['PFA_token'] = md5(random_bytes(8) . uniqid('pfa', true));
 
 $smarty->assign('language_selector', language_selector(), false);
 $smarty->assign('smarty_template', 'login');