Christoph M. Becker

I'm not an expert on hash functions, so take the following with a huge grain of salt (and please correct me, if I'm wrong). As I see it, there are...

Quick note to not forget about it: maybe link to https://csrc.nist.gov/projects/hash-functions (see https://news-web.php.net/php.internals/124678).

I would presume that this changed when the resources were converted to objects; might make sense to add that info to the note (or maybe to the changelog entry).

I was wondering about autoconf, automake and libtool requirements, but couldn't find any version in the sources so far. Not even sure if these are needed; I think at least...

> I was wondering about autoconf, automake and libtool requirements, but couldn't find any version in the sources so far. Not even sure if these are needed; I think at...

Well, it's not really about unsetting the variable, but rather about the refcount of the object; when the latter decreases to zero, the object is released. For the given code...

The documentation of the `$private_key` parameter certainly needs to be improved. I consider the current state a bug. Note that the signatures are now declared in [stub files](https://github.com/php/php-src/blob/2501cad25a1818fa35830982371ae88b0adb5d57/ext/openssl/openssl.stub.php#L602-L606). If they...

> I suggest switching everything to "\n", i.e. LF. I'm very much in favor of doing this (replace `PHP_EOL` with `LF`). There are only few applications (if any) which have...

Securing the session ID cookie makes sense (both secure as well as HTTP only; not sure about samesite). As for the others (status, mode), there's not much point in securing...

> Only, something still needs to be turned here: Do we still support session IDs sent via URL parameters (`session.use_only_cookies=Off`)? If not, there is no need to warn about missing...