WebSVN – oidplus – Blame – /trunk/includes/classes/OIDplusSessionHandler.class.php

Rev	Author	Line No.	Line
2	daniel-mar	1	<?php
		2
		3	/*
		4	* OIDplus 2.0
		5	* Copyright 2019 Daniel Marschall, ViaThinkSoft
		6	*
		7	* Licensed under the Apache License, Version 2.0 (the "License");
		8	* you may not use this file except in compliance with the License.
		9	* You may obtain a copy of the License at
		10	*
		11	* http://www.apache.org/licenses/LICENSE-2.0
		12	*
		13	* Unless required by applicable law or agreed to in writing, software
		14	* distributed under the License is distributed on an "AS IS" BASIS,
		15	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
		16	* See the License for the specific language governing permissions and
		17	* limitations under the License.
		18	*/
		19
112	daniel-mar	20	if (!defined('IN_OIDPLUS')) die();
		21
2	daniel-mar	22	class OIDplusSessionHandler {
		23
		24	protected $secret = '';
		25
261	daniel-mar	26	function __construct() {
		27	$this->sessionLifetime = OIDplus::baseConfig()->getValue('SESSION_LIFETIME', 30*60);
		28	$this->secret = OIDplus::baseConfig()->getValue('SERVER_SECRET');
		29
2	daniel-mar	30	// PREVENTING SESSION HIJACKING
		31	// Prevents javascript XSS attacks aimed to steal the session ID
87	daniel-mar	32	@ini_set('session.cookie_httponly', 1);
2	daniel-mar	33
		34	// PREVENTING SESSION FIXATION
		35	// Session ID cannot be passed through URLs
87	daniel-mar	36	@ini_set('session.use_only_cookies', 1);
2	daniel-mar	37
87	daniel-mar	38	@ini_set('session.use_trans_sid', 0);
85	daniel-mar	39
2	daniel-mar	40	// Uses a secure connection (HTTPS) if possible
230	daniel-mar	41	@ini_set('session.cookie_secure', OIDplus::isSslAvailable());
2	daniel-mar	42
227	daniel-mar	43	$path = OIDplus::getSystemUrl(true);
83	daniel-mar	44	if (!empty($path)) {
87	daniel-mar	45	@ini_set('session.cookie_path', $path);
2	daniel-mar	46	}
		47
87	daniel-mar	48	@ini_set('session.cookie_samesite', 'Lax');
2	daniel-mar	49
87	daniel-mar	50	@ini_set('session.use_strict_mode', 1);
2	daniel-mar	51
261	daniel-mar	52	@ini_set('session.gc_maxlifetime', $this->sessionLifetime);
2	daniel-mar	53	}
		54
86	daniel-mar	55	protected function sessionSafeStart() {
179	daniel-mar	56	if (!isset($_SESSION)) {
		57	// TODO: session_name() makes some problems. Leave it away for now.
261	daniel-mar	58	//session_name('OIDplus_SESHDLR');
179	daniel-mar	59	if (!session_start()) {
250	daniel-mar	60	throw new OIDplusException("Session could not be started");
179	daniel-mar	61	}
		62	}
86	daniel-mar	63
87	daniel-mar	64	if (!isset($_SESSION['ip'])) {
		65	if (!isset($_SERVER['REMOTE_ADDR'])) return;
86	daniel-mar	66
87	daniel-mar	67	// Remember the IP address of the user
		68	$_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
		69	} else {
		70	if ($_SERVER['REMOTE_ADDR'] != $_SESSION['ip']) {
		71	// Was the session hijacked?! Get out of here!
		72	$this->destroySession();
		73	}
86	daniel-mar	74	}
		75	}
		76
2	daniel-mar	77	function __destruct() {
		78	session_write_close();
		79	}
		80
		81	public function setValue($name, $value) {
86	daniel-mar	82	$this->sessionSafeStart();
261	daniel-mar	83	setcookie(session_name(),session_id(),time()+$this->sessionLifetime, ini_get('session.cookie_path'));
85	daniel-mar	84
2	daniel-mar	85	$_SESSION[$name] = self::encrypt($value, $this->secret);
		86	}
		87
		88	public function getValue($name) {
85	daniel-mar	89	if (!isset($_COOKIE[session_name()])) return null; // GDPR: Only start a session when we really need one
		90
86	daniel-mar	91	$this->sessionSafeStart();
261	daniel-mar	92	setcookie(session_name(),session_id(),time()+$this->sessionLifetime, ini_get('session.cookie_path'));
85	daniel-mar	93
2	daniel-mar	94	if (!isset($_SESSION[$name])) return null;
		95	return self::decrypt($_SESSION[$name], $this->secret);
		96	}
		97
85	daniel-mar	98	public function destroySession() {
		99	if (!isset($_COOKIE[session_name()])) return;
		100
86	daniel-mar	101	$this->sessionSafeStart();
261	daniel-mar	102	setcookie(session_name(),session_id(),time()+$this->sessionLifetime, ini_get('session.cookie_path'));
85	daniel-mar	103
		104	$_SESSION = array();
		105	session_destroy();
		106	session_write_close();
		107	setcookie(session_name(), "", time()-3600, ini_get('session.cookie_path')); // remove cookie, so GDPR people are happy
		108	}
		109
83	daniel-mar	110	public function exists($name) {
		111	return isset($_SESSION[$name]);
		112	}
		113
2	daniel-mar	114	protected static function encrypt($data, $key) {
6	daniel-mar	115	$iv = random_bytes(16); // AES block size in CBC mode
		116	// Encryption
		117	$ciphertext = openssl_encrypt(
		118	$data,
		119	'AES-256-CBC',
		120	mb_substr($key, 0, 32, '8bit'),
		121	OPENSSL_RAW_DATA,
		122	$iv
		123	);
		124	// Authentication
		125	$hmac = hash_hmac(
		126	'SHA256',
		127	$iv . $ciphertext,
		128	mb_substr($key, 32, null, '8bit'),
		129	true
		130	);
		131	return $hmac . $iv . $ciphertext;
		132	}
2	daniel-mar	133
6	daniel-mar	134	protected static function decrypt($data, $key) {
		135	$hmac = mb_substr($data, 0, 32, '8bit');
		136	$iv = mb_substr($data, 32, 16, '8bit');
		137	$ciphertext = mb_substr($data, 48, null, '8bit');
		138	// Authentication
		139	$hmacNew = hash_hmac(
		140	'SHA256',
		141	$iv . $ciphertext,
		142	mb_substr($key, 32, null, '8bit'),
		143	true
		144	);
		145	if (!hash_equals($hmac, $hmacNew)) {
250	daniel-mar	146	throw new OIDplusException('Authentication failed');
6	daniel-mar	147	}
		148	// Decryption
		149	return openssl_decrypt(
		150	$ciphertext,
		151	'AES-256-CBC',
		152	mb_substr($key, 0, 32, '8bit'),
		153	OPENSSL_RAW_DATA,
		154	$iv
		155	);
		156	}
2	daniel-mar	157	}

Subversion Repositories oidplus

oidplus/trunk/includes/classes/OIDplusSessionHandler.class.php @ 1282 – Rev 261