Is there any reason the team have to implement a custom function (rcube_session::unserialize) to decode the session string?
Why dont use native php session_decode ? We can even protect the $_SESSION variable by copying it to a dummy array before decoding any session string.
The decode/encode action runs every request and the speed of native function is much faster.
Can anyone explain to me?