On 06.04.2016 07:47, Yasuo Ohgaki wrote: > Session module does not require hashing to generate session ID. This > RFC removes hashing from session module and enable use_strict_mode as > an insurance for broken RNG. > > https://wiki.php.net/rfc/session-id-without-hashing
I cannot talk about the merits of the randomness-change here, but use_strict_mode defaulting to 1 is major +1 from me. Why it's advertised everywhere as best practice but even set to 0 in php.ini-production is beyond me. - Markus -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
