From bc959df0c9df3fdf250fb93ef30dbb81cbd848c7 Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Thu, 19 May 2016 15:46:30 +0200
Subject: Fix CSRF token checking; improve token/sid generation

---
 inc/session.inc.php | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

(limited to 'inc/session.inc.php')

diff --git a/inc/session.inc.php b/inc/session.inc.php
index b4299e06..26effa3f 100644
--- a/inc/session.inc.php
+++ b/inc/session.inc.php
@@ -11,11 +11,11 @@ class Session
 	private static $sid = false;
 	private static $data = false;
 	
-	private static function generateSessionId()
+	private static function generateSessionId($salt)
 	{
 		if (self::$sid !== false) Util::traceError('Error: Asked to generate session id when already set.');
-		self::$sid = sha1(
-			mt_rand(0, 65535)
+		self::$sid = sha1($salt . ','
+			. mt_rand(0, 65535)
 			. $_SERVER['REMOTE_ADDR']
 			. mt_rand(0, 65535)
 			. $_SERVER['REMOTE_PORT']
@@ -27,9 +27,9 @@ class Session
 		);
 	}
 
-	public static function create()
+	public static function create($salt = '')
 	{
-		self::generateSessionId();
+		self::generateSessionId($salt);
 		self::$data = array();
 	}
 
-- 
cgit v1.2.3-55-g7522