|
|
@ -36,12 +36,7 @@ define('ISLANDORA_AUTHTOKEN_TOKEN_TIMEOUT', 300); |
|
|
|
function islandora_get_object_token($pid, $dsid, $uses = 1) { |
|
|
|
function islandora_get_object_token($pid, $dsid, $uses = 1) { |
|
|
|
global $user; |
|
|
|
global $user; |
|
|
|
$time = time(); |
|
|
|
$time = time(); |
|
|
|
// The function mt_rand is not considered cryptographically secure |
|
|
|
$token = bin2hex(drupal_random_bytes(32)); |
|
|
|
// and openssl_rando_pseudo_bytes() is only available in PHP > 5.3. |
|
|
|
|
|
|
|
// We might be safe in this case because mt_rand should never be using |
|
|
|
|
|
|
|
// the same seed, but this is still more secure. |
|
|
|
|
|
|
|
$token = hash("sha256", mt_rand() . $time); |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
$id = db_insert("islandora_authtokens")->fields( |
|
|
|
$id = db_insert("islandora_authtokens")->fields( |
|
|
|
array( |
|
|
|
array( |
|
|
|
'token' => $token, |
|
|
|
'token' => $token, |
|
|
|