From 0f994df357c3aa9d7a29cca711cb5f6d29a4b614 Mon Sep 17 00:00:00 2001
From: Lukas Fleischer <archlinux@cryptocrack.de>
Date: Sat, 25 Jun 2011 11:39:19 +0200
Subject: Simplify session ID generation

There was too much voodoo going on in new_sid(). Just use uniqid() with
a random seed and the optional entropy parameter to generate MD5 input.

Use the remote IP address as a salt to reduce the chance of two clients
getting the same ID if they login at exactly the same time.

Thanks-to: Florian Pritz <bluewind@xinu.at>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
---
 web/lib/aur.inc.php | 11 +----------
 1 file changed, 1 insertion(+), 10 deletions(-)

(limited to 'web')

diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php
index 73f8fd36..00a8c8ce 100644
--- a/web/lib/aur.inc.php
+++ b/web/lib/aur.inc.php
@@ -91,16 +91,7 @@ function make_seed() {
 # generate a (hopefully) unique session id
 #
 function new_sid() {
-	mt_srand(make_seed());
-	$ts = time();
-	$pid = getmypid();
-
-	$rand_num = mt_rand();
-	mt_srand(make_seed());
-	$rand_str = substr(md5(mt_rand()),2, 20);
-
-	$id = $rand_str . strtolower(md5($ts.$pid)) . $rand_num;
-	return strtoupper(md5($id));
+	return md5($_SERVER['REMOTE_ADDR'] . uniqid(mt_rand(), true));
 }
 
 
-- 
cgit v1.2.3-24-g4f1b