[SECURITY] Session::__construct() allows use of the current time as a session key
inc/Session.php uses this SQL, to try and limit session use to those in possession of the session key:
$sql .= " WHERE session.session_id = ? AND (md5(session.session_start::text) = ? OR session.session_key = ?) ORDER BY session.session_start DESC LIMIT 2";However there is a fatal flaw in the logic. It allows anyone who can guess the microsecond time (and the incrementing session_id) to impersonate the session.
The (md5(session.session_start::text) = ? OR clause should be removed.