On Sat, 2 Jul 2016 at 08:36 Yasuo Ohgaki <yohg...@ohgaki.net> wrote: > Hi all, > > Currently session module uses obsolete MD5 for session ID. With > CSPRNG, hashing is redundant and needless. It adds hash module > dependency and inefficient (There is no reason to use hash for CSPRNG > generated bytes). > > This proposal cleans up session code by removing hash. > > https://wiki.php.net/rfc/session-id-without-hashing > > I set vote requires 2/3 support. > Please describe the reason why when you against this RFC. Reasons are > important for improvements! >
I support the idea proposed here, but I have issues with the implementation. You've changed a lot of defaults that may break things for some users (especially those using custom session handlers). I'll add some notes on github.
