On 18 May 2022, at 17:02, Mark Randall <marand...@php.net> wrote:
> Personally I usually just throw the session key through a one-way hash so the
> original session ID never gets written to a backing store.
Good idea, but that's not done by default.
> I'm not sure why reversible encryption needs to take place?
It might provide privacy (if the attacker can read the session files, and they
contain sensitive information, e.g. some developers store a copy of the users
entire record in the session to avoid db lookups)... and it might prevent edits
being made to the session file.
I would hope both are very rare, but I'm still writing up reports about
developers doing things like `file_put_contents('/tmp/' . $_POST['id'],
$_POST['message'])`, so I don't have a lot of hope.
Craig
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: https://www.php.net/unsub.php
