carc1n0gen
commented
6 years ago @dvv I know this is really old, but I was wondering if you could further explain how an attacker could take advantage of plain comparison here. I am thinking of forking this repo since development on it has stopped and would like potentially fix this
Hi!
Using plain comparison https://github.com/stevencorona/SessionHandlerCookie/blob/master/src/SessionHandler/Storage/SecureCookie.php#L65 opens the subj.
Please consider using something like https://github.com/dvv/macaron/blob/master/src/Macaron.php#L36-L59.
TIA, --Vladimir