And unfortunately the same data is used to produce the session key, which is a big mistake.

They will generate the same session key, which now you have.

Both parties can now derive the same session key.

That is known; the session key is kept private at each end.

The client creates a session key using its random number generator.

That session key is then used to encrypt messages in both directions.

Each peer contributes 128 random bits to the 256-bit session key.

The shared secret is referred to as a session key.

Then both can deduce a common session key within a time complexity of O(m+n).

At the beginning of the call, both users get the same session key by using the hash function.