Custom cryptography and hand-rolled session handling are almost always unsafe. Developers may use weak algorithms, insecure key management, or store sessions in ways that can be hijacked. Attackers can exploit these mistakes to break encryption or take over user accounts.
Magento provides built-in APIs for encryption, hashing, and session management that follow best practices. Using these APIs ensures data is protected consistently across the application. It also reduces the risk of introducing subtle security flaws that come with custom code.
# Search custom code for unsafe functions
grep -R "base64_encode(" app/code
grep -R "md5(" app/code
grep -R "sha1(" app/code
grep -R "session_start" app/code
# Check if Magento’s Crypto and Session classes are used instead\Magento\Framework\Encryption\EncryptorInterface for hashing and encryption.\Magento\Framework\Session\SessionManager instead of raw PHP functions.md5(), sha1(), or base64 encoding for sensitive data — they are not secure.// Custom crypto with weak hash
$hash = md5($password);
// Raw PHP session
session_start();
$_SESSION['user'] = $userId;// Secure Magento API usage
$hash = $this->encryptor->getHash($password, true);
$session = $this->sessionManager;
$session->setCustomerId($customerId);