diff --git a/inc/media.php b/inc/media.php
index e29a47631030d8da0ff68bd258f853fee93e406c..18148a44607f3a9131d3b10d46c092f0a65bab66 100644
--- a/inc/media.php
+++ b/inc/media.php
@@ -1879,20 +1879,21 @@ function media_crop_image($file, $ext, $w, $h=0){
  * cropped images have been internally generated - and prevent external
  * DDOS attacks via fetch
  *
+ * @author Christopher Smith <chris@jalakai.co.uk>
+ *
  * @param string  $id    id of the image
  * @param int     $w     resize/crop width
  * @param int     $h     resize/crop height
- *
- * @author Christopher Smith <chris@jalakai.co.uk>
+ * @return string
  */
 function media_get_token($id,$w,$h){
     // token is only required for modified images
     if ($w || $h) {
-        $token = auth_cookiesalt().$id;
+        $token = $id;
         if ($w) $token .= '.'.$w;
         if ($h) $token .= '.'.$h;
 
-        return substr(md5($token),0,6);
+        return substr(PassHash::hmac('md5', $token, auth_cookiesalt()),0,6);
     }
 
     return '';