From bcc80c468dcb066d23487089e2f8fdd044a2b5ba Mon Sep 17 00:00:00 2001
From: Daniel Winzen <d@winzen4.de>
Date: Sat, 19 Nov 2016 06:50:57 +0100
Subject: [PATCH] Add stronger randomness on session key generation

---
 chat.php | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/chat.php b/chat.php
index fdf4912..3eebb8d 100644
--- a/chat.php
+++ b/chat.php
@@ -2246,7 +2246,11 @@ function write_new_session(){
 		// create new session
 		$stmt=$db->prepare('SELECT * FROM ' . PREFIX . 'sessions WHERE session=?;');
 		do{
-			$U['session']=md5(time().mt_rand().$U['nickname']);
+			if(function_exists('random_bytes')){
+				$U['session']=bin2hex(random_bytes(16));
+			}else{
+				$U['session']=md5(uniqid($U['nickname'], true).mt_rand());
+			}
 			$stmt->execute([$U['session']]);
 		}while($stmt->fetch(PDO::FETCH_NUM)); // check for hash collision
 		if(isSet($_SERVER['HTTP_USER_AGENT'])){