From e16ca48833e9dd774a61eaab7ca32c44ce6a4276 Mon Sep 17 00:00:00 2001
From: "lpsolit%gmail.com" <>
Date: Tue, 3 Jan 2006 22:44:53 +0000
Subject: Bug 119524: SECURITY: predictable sessionid (Use a token instead of
 logincookie) - Patch by Olav Vitters <bugzilla-mozilla@bkor.dhs.org> r=mkanat
 a=justdave

---
 Bugzilla/Auth/Login/WWW/CGI.pm | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

(limited to 'Bugzilla/Auth/Login')

diff --git a/Bugzilla/Auth/Login/WWW/CGI.pm b/Bugzilla/Auth/Login/WWW/CGI.pm
index 22b2bf1fb..17a9cfce6 100644
--- a/Bugzilla/Auth/Login/WWW/CGI.pm
+++ b/Bugzilla/Auth/Login/WWW/CGI.pm
@@ -35,6 +35,7 @@ use Bugzilla::Config;
 use Bugzilla::Constants;
 use Bugzilla::Error;
 use Bugzilla::Util;
+use Bugzilla::Token;
 
 sub login {
     my ($class, $type) = @_;
@@ -70,11 +71,12 @@ sub login {
         # subsequent login
         trick_taint($ipaddr);
 
-        $dbh->do("INSERT INTO logincookies (userid, ipaddr, lastused)
-                 VALUES (?, ?, NOW())",
+        my $logincookie = Bugzilla::Token::GenerateUniqueToken('logincookies', 'cookie');
+
+        $dbh->do("INSERT INTO logincookies (cookie, userid, ipaddr, lastused)
+                 VALUES (?, ?, ?, NOW())",
                  undef,
-                 $userid, $ipaddr);
-        my $logincookie = $dbh->bz_last_key('logincookies', 'cookie');
+                 $logincookie, $userid, $ipaddr);
 
         # Remember cookie only if admin has told so
         # or admin didn't forbid it and user told to remember.
-- 
cgit v1.2.3-24-g4f1b