PHP session.hash_function is MD5

Published on
02 Jul 2018
1 min read

The MD5 is a common hash algorithm that works as a one-way cryptographic function that accepts a string of any length and returns a fixed length digest value (128-bit hash function). This hash function was first used to authenticate digital signatures. Although it was used in many situations, it is now considered unsafe to use MD5 for encryption. There are many malicious ways to generate MD5 collisions in a web application. There are many servers that use an MD5 algorithm for session hash function. As this algorithm is vulnerable, the attacker can easily crack these hash value using a brute-force attack. An attacker can perform a collision attack on applications using MD5 using a weak computer. MD5 is also vulnerable to attacks chosen-prefix collision attack. Chosen-prefix collision attack is a collision attack by which an attacker can manually select two documents and encrypt them to produce same hash value.


The following code is used to declare md5

        string md5 ( string $str [, bool $raw_output = FALSE ] )



The impact include:-

  • Brute-force attack
  • Collision attack

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Use Slow Password Hash such as BCrypt, PBKDF2, SCrypt and many more similarly working hash functions.
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Co-founder, Director
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment