diff --git a/lib/wsapi/session_context.js b/lib/wsapi/session_context.js
index 3f250d53127acfc3219056ce1147c220ce3960f4..8a4dd29a5345edb3ec66189ad4109d0ce0fcc6b9 100644
--- a/lib/wsapi/session_context.js
+++ b/lib/wsapi/session_context.js
@@ -6,6 +6,7 @@ wsapi = require('../wsapi.js'),
 secrets = require('../secrets.js');
 
 // return the CSRF token, authentication status, and current server time (for assertion signing)
+// 2011-12-22: adding a random seed for keygen
 // IMPORTANT: this is safe because it's only readable by same-origin code
 
 exports.method = 'get';
@@ -22,9 +23,9 @@ exports.process = function(req, res) {
   }
 
   if (typeof req.session.csrf == 'undefined') {
-    // FIXME: using express-csrf's approach for generating randomness
-    // not awesome, but probably sufficient for now.
-    req.session.csrf = crypto.createHash('md5').update('' + new Date().getTime()).digest('hex');
+    // more random CSRF
+    // FIXME: async?
+    req.session.csrf = crypto.randomBytes(16).toString('base64');
     logger.debug("NEW csrf token created: " + req.session.csrf);
   }
 
@@ -35,7 +36,8 @@ exports.process = function(req, res) {
       csrf_token: req.session.csrf,
       server_time: (new Date()).getTime(),
       authenticated: auth_status,
-      domain_key_creation_time: domainKeyCreationDate.getTime()
+      domain_key_creation_time: domainKeyCreationDate.getTime(),
+      random_seed: crypto.randomBytes(32).toString('base64')
     });
   };