public function __construct(string
$key,
string
$salt )
Parameters
$key
—
string
a per-site secret string which is used as the base encryption key.
$salt
—
string
a per-session random string which is used as a salt to generate a per-session key The base encryption key needs to stay secret. If an attacker ever gets it, they can read their session, and even modify & re-sign it.
The salt is a random per-session string that is used with the base encryption key to create a per-session key. This (amongst other things) makes sure an attacker can't use a known-plaintext attack to guess the key.
Normally we could create a salt on encryption, send it to the client as part of the session (it doesn't need to remain secret), then use the returned salt to decrypt. But we already have the Session ID which makes a great salt, so no need to generate & handle another one.