On 18/05/2022 16:23, Craig Francis wrote:
If the Session ID continued to work as the Identifier, but the client was given the Session ID and a Random Key (could be concatenated together for the cookie)... that means the Random Key would not be stored on the server, and could protect the session if there was a vulnerability on the server/website (e.g. attacker being able to see the directory listing of session files)... I'm not sure how much of a benefit that will actually provide, vs the risk of it going wrong (e.g. future PHP changing encryption algorithm).
Personally I usually just throw the session key through a one-way hash so the original session ID never gets written to a backing store.
I'm not sure why reversible encryption needs to take place? -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php
