diff --git includes/common.inc includes/common.inc
index 51c2f5f..231da78 100644
--- includes/common.inc
+++ includes/common.inc
@@ -4265,10 +4265,10 @@ function drupal_get_private_key() {
  *   An additional value to base the token on.
  */
 function drupal_get_token($value = '') {
-  $private_key = drupal_get_private_key();
-  // A single md5() is vulnerable to length-extension attacks, so use it twice.
-  // @todo:  add md5 and sha1 hmac functions to core.
-  return md5(drupal_get_hash_salt() . md5(session_id() . $value . $private_key));
+  $token = base64_encode(hash_hmac('sha256', $value, drupal_get_private_key() . drupal_get_hash_salt(), TRUE));
+  // Modify the token so it's safe to use in URLs.
+  $token = strtr($token, array('+' => '-', '/' => '_', '=' => ''));
+  return $token;
 }
 
 /**