Use randomness from a CSPRNG to generate unique IDs for assertions

TimWolla · TimWolla · commit 6c6b6b3c3108 · 2021-10-28T14:10:44.000+02:00
diff --git a/src/Saml2/Utils.php b/src/Saml2/Utils.php
@@ -743,7 +743,7 @@ public static function extractOriginalQueryParam($name)
      */
     public static function generateUniqueID()
     {
-        return 'ONELOGIN_' . sha1(uniqid((string)mt_rand(), true));
+        return 'ONELOGIN_' . sha1(random_bytes(20));
     }
 
     /**

Original file line number	Diff line number	Diff line change
`@@ -743,7 +743,7 @@ public static function extractOriginalQueryParam($name)`
`743`	`743`	`*/`
`744`	`744`	`public static function generateUniqueID()`
`745`	`745`	`{`
`746`		`- return 'ONELOGIN_' . sha1(uniqid((string)mt_rand(), true));`
	`746`	`+ return 'ONELOGIN_' . sha1(random_bytes(20));`
`747`	`747`	`}`
`748`	`748`
`749`	`749`	`/**`