Use more secure random number generation for CSRF auth tokens

* Also cleaned up pull request

airtime_mvc/application/controllers/PluploadController.php

@@ -31,10 +31,10 @@ class PluploadController extends Zend_Controller_Action
             $this->view->quotaLimitReached = true;
         }
 
+        //Because uploads are done via AJAX (and we're not using Zend form for those), we manually add the CSRF
+        //token in here.
         $csrf_namespace = new Zend_Session_Namespace('csrf_namespace');
-        /* Moved to be globally set in Bootstrap */
-        // $csrf_namespace->setExpirationSeconds(5*60*60);
-        // $csrf_namespace->authtoken = sha1(uniqid(rand(),1));
+        //The CSRF token is generated in Bootstrap.php
 
         $csrf_element = new Zend_Form_Element_Hidden('csrf');
         $csrf_element->setValue($csrf_namespace->authtoken)->setRequired('true')->removeDecorator('HtmlTag')->removeDecorator('Label');

airtime_mvc/application/controllers/plugins/Acl_plugin.php

@@ -156,7 +156,7 @@ class Zend_Controller_Plugin_Acl extends Zend_Controller_Plugin_Abstract
 
                 if (!$tokenValid) {
                     $csrf_namespace = new Zend_Session_Namespace('csrf_namespace');
-                    $csrf_namespace->authtoken = sha1(uniqid(rand(),1));
+                    $csrf_namespace->authtoken = sha1(openssl_random_pseudo_bytes(128));
 
                     Logging::warn("Invalid CSRF token: $token");
                     $this->getResponse()