No subject

hashing method.
Md5 considered as "broken" is based on collision attacks. We don't use
md5 in a way to verify integrity.

If someone tries 16^32 variations in a long time, already issued
sessions might no longer be valid; if the attacker tries all those
variations in a short time, your server stops due to this kind of DoS.

Instead of using another hashing method we should focus of increased
entropy.


Marcus.


-- 
TYPO3 Security blog: http://secure.t3sec.info/