<?php
/*
* OIDplus 2.0
* Copyright 2019 Daniel Marschall, ViaThinkSoft
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
class OIDplusSessionHandler {
protected $secret = '';
function __construct($secret) {
// **PREVENTING SESSION HIJACKING**
// Prevents javascript XSS attacks aimed to steal the session ID
ini_set('session.cookie_httponly', 1);
// **PREVENTING SESSION FIXATION**
// Session ID cannot be passed through URLs
ini_set('session.use_only_cookies', 1);
// Uses a secure connection (HTTPS) if possible
ini_set('session.cookie_secure', 1);
if (isset($_SERVER['REQUEST_URI'])) {
$path = $_SERVER['REQUEST_URI'];
}
ini_set('session.cookie_samesite', 'Lax');
$this->secret = $secret;
}
function __destruct() {
}
public function setValue($name, $value) {
$_SESSION[$name] = self::encrypt($value, $this->secret);
}
public function getValue($name) {
if (!isset($_SESSION[$name])) return null;
return self::decrypt($_SESSION[$name], $this->secret);
}
protected static function encrypt($data, $key) {
$iv = random_bytes(16); // AES block size in CBC mode
// Encryption
$ciphertext = openssl_encrypt(
$data,
'AES-256-CBC',
OPENSSL_RAW_DATA,
$iv
);
// Authentication
'SHA256',
$iv . $ciphertext,
true
);
return $hmac . $iv . $ciphertext;
}
protected static function decrypt($data, $key)
{
$ciphertext = mb_substr($data, 48, null, '8bit');
// Authentication
'SHA256',
$iv . $ciphertext,
true
);
if (! hash_equals($hmac, $hmacNew)) {
throw new Exception('Authentication failed');
}
// Decrypt
return openssl_decrypt(
$ciphertext,
'AES-256-CBC',
OPENSSL_RAW_DATA,
$iv
);
}
}