Strengthen some crypto (#8061)

For login, tokens, nonces
author: Alexandre Alapetite <alexandre@alapetite.fr> 2025-10-04 14:32:18 +0200
committer: GitHub <noreply@github.com> 2025-10-04 14:32:18 +0200
commit: 57e1a375cbd2db9741ff19167813344f8eff5772 (patch)
tree: 741fc3820a205ab3ea84a03f6b72615dd8238f99 /app/Models
parent: be49726ebb700aca030004d367c029082cfc6427 (diff)
2 files changed, 2 insertions, 3 deletions
diff --git a/app/Models/Auth.php b/app/Models/Auth.php
index 19cd26aa5..888215730 100644
--- a/app/Models/Auth.php
+++ b/app/Models/Auth.php
@@ -217,8 +217,7 @@ class FreshRSS_Auth {
 	public static function csrfToken(): string {
 		$csrf = Minz_Session::paramString('csrf');
 		if ($csrf == '') {
-			$salt = FreshRSS_Context::systemConf()->salt;
-			$csrf = sha1($salt . uniqid('' . random_int(0, mt_getrandmax()), true));
+			$csrf = hash('sha256', FreshRSS_Context::systemConf()->salt . random_bytes(32));
 			Minz_Session::_param('csrf', $csrf);
 		}
 		return $csrf;
diff --git a/app/Models/FormAuth.php b/app/Models/FormAuth.php
index 1da03f6d2..8943fa7f5 100644
--- a/app/Models/FormAuth.php
+++ b/app/Models/FormAuth.php
@@ -52,7 +52,7 @@ class FreshRSS_FormAuth {
 
 	public static function makeCookie(string $username, string $password_hash): string|false {
 		do {
-			$token = sha1(FreshRSS_Context::systemConf()->salt . $username . uniqid('' . mt_rand(), true));
+			$token = hash('sha256', FreshRSS_Context::systemConf()->salt . $username . random_bytes(32));
 			$token_file = DATA_PATH . '/tokens/' . $token . '.txt';
 		} while (file_exists($token_file));
author	Alexandre Alapetite <alexandre@alapetite.fr>	2025-10-04 14:32:18 +0200
committer	GitHub <noreply@github.com>	2025-10-04 14:32:18 +0200
commit	57e1a375cbd2db9741ff19167813344f8eff5772 (patch)
tree	741fc3820a205ab3ea84a03f6b72615dd8238f99 /app/Models
parent	be49726ebb700aca030004d367c029082cfc6427 (diff)