[opw-web] Switch to a better method of session ID generation

[Owen Taylor <otaylor src gnome org>]

commit bbc7bd5d08c421ad2e6f0e4e72823c0bef7094af
Author: Owen W. Taylor <otaylor fishsoup net>
Date:   Mon Mar 10 20:45:47 2014 -0400

    Switch to a better method of session ID generation
    
    Use /dev/urandom instead of generating the session ID as a hash
    of guessable data.

 classes/class_user.php |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)
---
diff --git a/classes/class_user.php b/classes/class_user.php
index f238f62..3216262 100644
--- a/classes/class_user.php
+++ b/classes/class_user.php
@@ -77,7 +77,11 @@ class user
     {
         global $core, $db;
 
-        $this->sid = sha1(time() . $core->remote_ip() . $username);
+        $fp = fopen('/dev/urandom', 'rb');
+        $bytes = fread($fp, 16);
+        $this->sid = bin2hex($bytes);
+        fclose($fp);
+
         $admin_flag = $is_admin ? 1 : 0;
 
         $params = array('sid' => $this->sid,