this should be a better PFA_Cookie random token value

2025-07-29 22:41:11 +03:00 · 2025-06-01 15:41:08 +01:00
parent 293e318200
commit 06a2cda24b
1 changed files with 2 additions and 1 deletions
--- a/functions.inc.php
+++ b/functions.inc.php
@ -117,7 +117,8 @@ function init_session(string $username, bool $is_admin = false, bool $mfa_comple
        $_SESSION['sessid']['mfa_complete'] = false;
    }
    $_SESSION['sessid']['username'] = $username;
-    $_SESSION['PFA_token'] = md5(random_bytes(8) . uniqid('pfa', true));
+    // Generate a more secure token using random_bytes and bin2hex instead of md5
+    $_SESSION['PFA_token'] = bin2hex(random_bytes(16));

    return $status;
 }