From f5025023fad7f0fbe896a39b67bef87c89737f2f Mon Sep 17 00:00:00 2001
From: Jesse Norell <jesse@kci.net>
Date: Thu, 3 Feb 2022 14:14:59 -0700
Subject: [PATCH] session id must begin with char

---
 interface/lib/classes/remoting.inc.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/interface/lib/classes/remoting.inc.php b/interface/lib/classes/remoting.inc.php
index 23c123ec6c..8b888cb231 100644
--- a/interface/lib/classes/remoting.inc.php
+++ b/interface/lib/classes/remoting.inc.php
@@ -138,8 +138,8 @@ class remoting {
 			}
 
 			//* Create a remote user session
-			//srand ((double)microtime()*1000000);
-			$remote_session = bin2hex(random_bytes(20));
+			// session id must begin with a char, not digit, to avoid mysql type confusion abuse
+			$remote_session = substr(str_shuffle('abcdefghijklmnopqrstuvwxyz'),0,1).bin2hex(random_bytes(20));
 			$remote_userid = $user['userid'];
 			$remote_functions = '';
 			$tstamp = time() + $this->session_timeout;
@@ -210,8 +210,8 @@ class remoting {
 					return false;
 				}
 				//* Create a remote user session
-				//srand ((double)microtime()*1000000);
-				$remote_session = bin2hex(random_bytes(20));
+				// session id must begin with a char, not digit, to avoid mysql type confusion abuse
+				$remote_session = substr(str_shuffle('abcdefghijklmnopqrstuvwxyz'),0,1).bin2hex(random_bytes(20));
 				$remote_userid = $remote_user['remote_userid'];
 				$remote_functions = $remote_user['remote_functions'];
 				$tstamp = time() + $this->session_timeout;
-- 
GitLab