Open javiereguiluz opened 1 year ago
This bundle uses sha256 as the default hashing algorithm for signed cookies:
sha256
https://github.com/nelmio/NelmioSecurityBundle/blob/93f80092dce178e77876c2ef4224e74f18c385c7/src/DependencyInjection/Configuration.php#L255
This might be no longer safe enough: https://en.wikipedia.org/wiki/SHA-2#Comparison_of_SHA_functions
Maybe we can move to sha3-256 or higher, which is also supported by PHP? https://www.php.net/manual/en/function.hash-algos.php
This bundle uses
sha256as the default hashing algorithm for signed cookies:https://github.com/nelmio/NelmioSecurityBundle/blob/93f80092dce178e77876c2ef4224e74f18c385c7/src/DependencyInjection/Configuration.php#L255
This might be no longer safe enough: https://en.wikipedia.org/wiki/SHA-2#Comparison_of_SHA_functions
Maybe we can move to sha3-256 or higher, which is also supported by PHP? https://www.php.net/manual/en/function.hash-algos.php