On Tue, Jan 27, 2015 at 3:35 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote:
> Hi all, > > On Tue, Jan 27, 2015 at 11:06 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: > > > - session.hash_function=1 : Use SHA1 rather than MD5 > > > I realized that we should remove hashing for better performance. > > Since session ID is generated from crypt secure RNG (/dev/urandom by > default), > simply converting the data into text is enough. Hashing is _slow_. > > Any comments? > on the contrary, both sha1 and md5 is super fast, so I don't think that is a good argument. and if you remove the hashing there will be no known length for the session id, and sooner or later people will screw themselves when bumping into some limit or getting their session id truncated (be that a cookie max length or a db field). -- Ferenc Kovács @Tyr43l - http://tyrael.hu
