From 06a2cda24b8eb13839acd60fcc27a6a7f9f42b87 Mon Sep 17 00:00:00 2001
From: David Goodwin <david@codepoets.co.uk>
Date: Sun, 1 Jun 2025 15:41:08 +0100
Subject: [PATCH] this should be a better PFA_Cookie random token value

---
 functions.inc.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/functions.inc.php b/functions.inc.php
index a459ef29..fa2f73ea 100644
--- a/functions.inc.php
+++ b/functions.inc.php
@@ -117,7 +117,8 @@ function init_session(string $username, bool $is_admin = false, bool $mfa_comple
         $_SESSION['sessid']['mfa_complete'] = false;
     }
     $_SESSION['sessid']['username'] = $username;
-    $_SESSION['PFA_token'] = md5(random_bytes(8) . uniqid('pfa', true));
+    // Generate a more secure token using random_bytes and bin2hex instead of md5
+    $_SESSION['PFA_token'] = bin2hex(random_bytes(16));
 
     return $status;
 }