0
I’m taking the session_id and putting it with MD5 encryption, to make a logout process.
I’d like to know if there’s any safety issue with that, so I’ll do it, or I’ll take some risk in the future?
<a href="painel.php?logoff=true&token=<?php echo md5(session_id()); ?>">Sair</a>
if($logoff && $token == md5(session_id())){
unset($_SESSION['userlogin']);
session_destroy();
header('Location: ../painel');
}
Related or duplicate: https://answall.com/q/2402/101, https://answall.com/q/137086/101, https://answall.com/q/41517/101.
– Maniero
A quick comment I could make to give you a light would be to say that the MD5 cannot be decrypted because it is a hash, it is theoretically impossible. But there is a way deduce hashes through prior knowledge, that is, if there is a database with millions of MD5 hashes produced by random strings, it is possible to obtain a "before and after".
– Paulo Roberto Rosa
Is this to check if the person asking for the logoff is the same person? Apart from the encryption security part, the logic of the code makes no sense and does not seem necessary.
– Guilherme Nascimento
Guilherme, yes, that’s what it’s for. But why doesn’t it make sense? Imagine a person with bad intentions sending logoff links to people for example. Just one example. With this mode I would not have.
– Lucas de Carvalho