via http://www.daemonology.net/blog/2009-06-11-cryptographic-right-answers.html
(I will work on this someday)
$session_serial = $user_id.'-*-'.time().'-*-'.getStringFromServer('REMOTE_ADDR').'-*-'.getStringFromServer('HTTP_USER_AGENT');
$session_serial_hash = md5($session_serial.forge_get_config('session_key'));
$session_serial_token = base64_encode($session_serial).'-*-'.$session_serial_hash;
+ /*
+ * TODO: would be better to use HMAC-SHA256 via
+ * http://www.php.net/manual/en/function.hash-hmac.php
+ * or do this using Keccak (SHA-3) which is its own MAC
+ */
return $session_serial_token;
}