I have an admin login system which sets a hidden form field "token" value and sets that same value as a session variable. When the user logs in, a script compares the POSTed form field value and session value to ensure they are the same.
This works fine in every browser except Mac Firefox (2.0.0.15). I have tried echoing the value of $SESSION['token'] immediately before the closing PHP tag of the first page (where the user enters their username & password), and immediately after the 'session_start()' on the second page (which processes the submitted form) and the two values are different. On every other browser (Safari, Windows Firefox, IE) $SESSION['token'] does not change. Only Mac Firefox.
What's weird is, the new/wrong token value still looks like an MD5 hash. But I have confirmed my token-generating function is not running again. And the new/wrong token is entirely new - not one that was previously generated, and perhaps hanging around somewhere only to surface later.
protected function setToken()
{
$token = md5(uniqid(rand(), TRUE));
$_SESSION['token'] = $token;
$this->tplObject->set('token', $token); // sets token in form
}
I'd post more code, but it's tough to know what to post, since I don't know where it's happening (a lot of included modules and whatnot). Also haven't seen this on other sites that use a similar scheme. And, it used to work - seems to be a recent development.
Any ideas?
