Description: Replace double MD5 by Crypt::URandom
Author: Xavier Guimard <yadd@debian.org>
Bug: <url in upstream bugtracker>
Bug-Debian: https://bugs.debian.org/930659
Forwarded: <no|not-needed|url proving that it has been forwarded>
Reviewed-By: <name and email of someone who approved the patch>
Last-Update: 2019-06-20

--- a/lib/Apache/Session/Generate/MD5.pm
+++ b/lib/Apache/Session/Generate/MD5.pm
@@ -11,7 +11,7 @@
 
 use strict;
 use vars qw($VERSION);
-use Digest::MD5;
+use Crypt::URandom;
 
 $VERSION = '2.12';
 
@@ -22,10 +22,16 @@
     if (exists $session->{args}->{IDLength}) {
         $length = $session->{args}->{IDLength};
     }
-    
+
+    eval {
+        $session->{data}->{_session_id} =
+          substr(unpack( 'H*', Crypt::URandom::urandom(int(($length+1)/2))), 0, $length);
+    };
+    if($@) {
+    require Digest::MD5;
     $session->{data}->{_session_id} = 
         substr(Digest::MD5::md5_hex(Digest::MD5::md5_hex(time(). {}. rand(). $$)), 0, $length);
-    
+    }
 
 }