Is it safe to make public md5 hash of other users' SESSID?

Question 1

Hashes are not best things for security, and i wouldn't recommend it in most cases.

But in this case there is a difference:

All SSID's are absolute nonsense (I mean they are random) so If you add needed salt to make your

salt.length + $userId.length

more than 32 characters (to be on the safe side, make it more than 128 chars), it's logically impossible to decrypt the hash. decrypting it would be like remaking a file from its hash! _{which is impossible}

To make things easier, here is the code you need:

function YourNewHashMaker($str)
{
return sha1(md5("Some Random Salt".$str).$str."Another Random Salt!".sha1("This one is too much".$str));
}

Use it like this:

YourNewHashMaker($userId);

Only security hole here, is the possibility that someone steals your code, and starts to make a rainbow table, which is a REALLY hard thing to do. and also the same security hole of all other hashes.

Edit: Remember, whatever idea you are having to make your own hashmakers, remember that output string must be generated by an approved algorithm. in other words, Do not add anything before or after 'sha1(....)' , just inside of the function.

Hope It Helps.

Question 2

Any hash function used in this context would be insecure, and choosing MD5 as your hash function means that you are unaware of best practices related to cryptographic functions. MD5 has been broken for many years, and should never be used for anything, ever. (Even sha1 is more secure and faster, but you probably shouldn't be using SHA1 either).

There are many problems with this. Most notably, this should be trivial to crack, as any small number should be in a rainbow table. An attacker should know every SESSID value. As a session ID, use PHP's session_start(). If you need a token, use a cryptographic nonce. If you don't understand the very basics of hash functions, then don't use a hash function.