On 17 May 2022, at 23:11, Mark Randall <marand...@php.net> wrote: > On 17/05/2022 21:36, David CARLIER wrote: >> I wanted a more general but early feedback on the idea itself >> https://github.com/php/php-src/pull/3759 > > What is the motivation? What is it meant to achieve?
If the Session ID continued to work as the Identifier, but the client was given the Session ID and a Random Key (could be concatenated together for the cookie)... that means the Random Key would not be stored on the server, and could protect the session if there was a vulnerability on the server/website (e.g. attacker being able to see the directory listing of session files)... I'm not sure how much of a benefit that will actually provide, vs the risk of it going wrong (e.g. future PHP changing encryption algorithm). Craig -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php
