| 30,13 → 30,13 |
|---|
| |
| // **PREVENTING SESSION HIJACKING** |
| // Prevents javascript XSS attacks aimed to steal the session ID |
| @ini_set('session.cookie_httponly', 1); |
| @ini_set('session.cookie_httponly', '1'); |
| |
| // **PREVENTING SESSION FIXATION** |
| // Session ID cannot be passed through URLs |
| @ini_set('session.use_only_cookies', 1); |
| @ini_set('session.use_only_cookies', '1'); |
| |
| @ini_set('session.use_trans_sid', 0); |
| @ini_set('session.use_trans_sid', '0'); |
| |
| // Uses a secure connection (HTTPS) if possible |
| @ini_set('session.cookie_secure', OIDplus::isSslAvailable()); |
| 47,7 → 47,7 |
|---|
| |
| @ini_set('session.cookie_samesite', OIDplus::baseConfig()->getValue('COOKIE_SAMESITE_POLICY', 'Strict')); |
| |
| @ini_set('session.use_strict_mode', 1); |
| @ini_set('session.use_strict_mode', '1'); |
| |
| @ini_set('session.gc_maxlifetime', $this->sessionLifetime); |
| } |
| 154,7 → 154,7 |
|---|
| ); |
| // Authentication |
| $hmac = hash_hmac( |
| 'SHA256', |
| 'sha256', |
| $iv . $ciphertext, |
| mb_substr($key, 32, null, '8bit'), |
| true |
| 163,7 → 163,7 |
|---|
| } else { |
| // When OpenSSL is not available, then we just do a HMAC |
| $hmac = hash_hmac( |
| 'SHA256', |
| 'sha256', |
| $data, |
| mb_substr($key, 32, null, '8bit'), |
| true |
| 179,7 → 179,7 |
|---|
| $ciphertext = mb_substr($data, 48, null, '8bit'); |
| // Authentication |
| $hmacNew = hash_hmac( |
| 'SHA256', |
| 'sha256', |
| $iv . $ciphertext, |
| mb_substr($key, 32, null, '8bit'), |
| true |
| 200,7 → 200,7 |
|---|
| $hmac = mb_substr($data, 0, 32, '8bit'); |
| $cleartext = mb_substr($data, 32, null, '8bit'); |
| $hmacNew = hash_hmac( |
| 'SHA256', |
| 'sha256', |
| $cleartext, |
| mb_substr($key, 32, null, '8bit'), |
| true |