diff --git a/core/lib/Drupal/Component/Utility/Crypt.php b/core/lib/Drupal/Component/Utility/Crypt.php index 583544eb01..6ebdc4aac8 100644 --- a/core/lib/Drupal/Component/Utility/Crypt.php +++ b/core/lib/Drupal/Component/Utility/Crypt.php @@ -154,22 +154,18 @@ public static function hashEquals($known_string, $user_string) { } /** - * Returns a base64-encoded string of highly randomized bytes. + * Returns a URL-safe, base64 encoded string of highly randomized bytes. * - * @param int $count + * @param $count * The number of random bytes to fetch and base64 encode. * - * @param array|string $replace - * Optional. An array or string to pass to str_replace(). This value will - * replace "+", "/", and "=". Defaults to URL-safe characters. - * * @return string * The base64 encoded result will have a length of up to 4 * $count. * * @see \Drupal\Component\Utility\Crypt::randomBytes() */ - public static function randomBytesBase64($count = 32, $replace = ['-', '_']) { - return str_replace(['+', '/', '='], $replace, base64_encode(static::randomBytes($count))); + public static function randomBytesBase64($count = 32) { + return str_replace(['+', '/', '='], ['-', '_', ''], base64_encode(static::randomBytes($count))); } } diff --git a/core/lib/Drupal/Core/Session/SessionManager.php b/core/lib/Drupal/Core/Session/SessionManager.php index 2ef206be64..54b68cb48e 100644 --- a/core/lib/Drupal/Core/Session/SessionManager.php +++ b/core/lib/Drupal/Core/Session/SessionManager.php @@ -147,7 +147,7 @@ public function start() { // the session id from within application code. Consider using the // default php session id instead of generating a custom one: // https://www.drupal.org/node/2238561 - $this->setId(Crypt::randomBytesBase64(32, [',', '-'])); + $this->setId(base_convert(bin2hex(Crypt::randomBytes(32)), 16, 32)); // Initialize the session global and attach the Symfony session bags. $_SESSION = []; @@ -246,7 +246,7 @@ public function regenerate($destroy = FALSE, $lifetime = NULL) { $this->startedLazy = TRUE; } // Generate a valid PHP session identifier. - session_id(Crypt::randomBytesBase64(32, [',', '-'])); + session_id(base_convert(bin2hex(Crypt::randomBytes(32)), 16, 32)); $this->getMetadataBag()->clearCsrfTokenSeed();