Index: t3lib/class.t3lib_userauth.php
===================================================================
--- t3lib/class.t3lib_userauth.php	(revision 8265)
+++ t3lib/class.t3lib_userauth.php	(working copy)
@@ -228,7 +228,7 @@
 			// If new session or client tries to fix session...
 		if (!$id || !$this->isExistingSessionRecord($id))	{
 				// New random session-$id is made
-			$id = substr(md5(uniqid('').getmypid()),0,$this->hash_length);
+			$id = t3lib_div::generateRandomString($this->hash_length);
 				// New session
 			$this->newSessionID = TRUE;
 		}
Index: t3lib/class.t3lib_div.php
===================================================================
--- t3lib/class.t3lib_div.php	(revision 8265)
+++ t3lib/class.t3lib_div.php	(working copy)
@@ -1383,24 +1383,55 @@
 		if (TYPO3_OS != 'WIN' && ($fh = @fopen('/dev/urandom', 'rb'))) {
 			$output = fread($fh, $count);
 			fclose($fh);
+		} elseif (TYPO3_OS == 'WIN' && function_exists('mcrypt_create_iv') && version_compare(PHP_VERSION, '5.3.0', '>=')) {
+			$output = mcrypt_create_iv($count, MCRYPT_DEV_URANDOM);
+		} elseif (TYPO3_OS == 'WIN' && version_compare(PHP_VERSION, '5.3.0', '>=') && function_exists('openssl_random_pseudo_bytes')) {
+			$isStrong = null;
+			$output = openssl_random_pseudo_bytes($count, $isStrong);
+				// skip ssl since it wasn't using the strong algo
+			if ($isStrong !== TRUE) {
+				$output = '';
+			}
 		}
 
-			// fallback if /dev/urandom is not available
+			// Try to use windows COM API if we did not get random bytes yet
+		if (!isset($output{$count - 1}) && TYPO3_OS == 'WIN' && class_exists('COM') && version_compare(PHP_VERSION, '5.0.0', '>=')) {
+			try {
+				$com = new COM('CAPICOM.Utilities.1');
+				$output = $com->GetRandom($count, 1);
+			} catch(Exception $e) {
+			}
+		}
+
+		// fallback if other random byte generation failed until now
 		if (!isset($output{$count - 1})) {
 				// We initialize with the somewhat random.
-			$randomState = $GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey']
-							. microtime() . getmypid();
+			$randomState = $GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'];
+			if (version_compare(PHP_VERSION, '4.3.2', '>=') && function_exists('memory_get_usage')) {
+				$randomState .= base_convert(memory_get_usage() % pow(10,6), 10, 2);
+			}
+			$randomState .= microtime() . getmypid();
 			while (!isset($output{$count - 1})) {
-				$randomState = md5(microtime() . mt_rand() . $randomState);
-				// Fix: Work around PHP4 allowing only one parameter to md5()
-				// $output .= md5(mt_rand() . $randomState, true);
-				$output .= pack('H*', md5(mt_rand() . $randomState));
+				$randomState = sha1(microtime() . mt_rand() . $randomState);
+					// Fix: Work around PHP4 allowing only one parameter to sha1()
+					// $output .= sha1(mt_rand() . $randomState, true);
+				$output .= pack('H*', sha1(mt_rand() . $randomState));
 			}
 			$output = substr($output, strlen($output) - $count, $count);
 		}
 		return $output;
 	}
 
+	/**
+	 * Returns a hex representation of a random byte string.
+	 *
+	 * @param		integer  Number of hex characters to return
+	 * @return		string   Random Bytes
+	 */
+	function generateRandomString($count)
+	{
+		return substr(bin2hex(t3lib_div::generateRandomBytes(intval(($count + 1) / 2))), 0, $count);
+	}