Hi all, On Sat, Jul 2, 2016 at 4:35 PM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: > Currently session module uses obsolete MD5 for session ID. With > CSPRNG, hashing is redundant and needless. It adds hash module > dependency and inefficient (There is no reason to use hash for CSPRNG > generated bytes). > > This proposal cleans up session code by removing hash. > > https://wiki.php.net/rfc/session-id-without-hashing > > I set vote requires 2/3 support. > Please describe the reason why when you against this RFC. Reasons are > important for improvements! > > Thank you!
Some of us worried about CSPRNG state exposure. I'm wondering how many of you will vote in favor if I change the RFC to use hash functions optionally. This means code and INI settings related to hash function selection will remain. Please note that ext/hash is not built always. If you against keeping hash related code, please let me know also. Thank you! -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
