Hi! > Session module does not require hashing to generate session ID. This > RFC removes hashing from session module and enable use_strict_mode as > an insurance for broken RNG. > > https://wiki.php.net/rfc/session-id-without-hashing
I'm not sure why that should be the default. First of all, I'm not sure exporting the state of the PRNG is that good an idea, there may be vulnerability in the PRNG that could be opened (or made easier) for exploit with direct access to its output. I'd rather not provide this opening unnecessarily. Second, I do not see why we need to do maximum breakage change if we could just make an identity "hash" function and support both cases. "Session generation performance" does not have a lot of meaning here - I'd be very surprised to see any application that is bound by the speed of generating session IDs. Also, I don't see how use_strict_mode change is related to the hashing. Could you explain? -- Stas Malyshev smalys...@gmail.com -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
