开发者

php session encryption

开发者 https://www.devze.com 2022-12-10 08:40 出处:网络
I\'d like to have sessions data开发者_运维百科 encrypted like they are in suhosin, is there any library out there providing that?You could easily use mcrypt or a custom AES encryption to encrypt sessi

I'd like to have sessions data开发者_运维百科 encrypted like they are in suhosin, is there any library out there providing that?


You could easily use mcrypt or a custom AES encryption to encrypt session data. The best bet would to create a session wrapper class that encrypts variables when you set them.

For key management, you could create a unique key and store it in a cookie, so that only the user can decrypt their own session data.


There exampleimplementation for Zend Framework here: http://www.eschrade.com/page/encrypted-session-handler-4ce2fce4/

the important functions for reference:

// $this->secredKey is stored in a cookie
// $this->_iv is created at the start
public function setEncrypted($key, $value)
{
    $_SESSION[$key] = bin2hex(
        mcrypt_encrypt(
            MCRYPT_3DES,
            $this->secretKey,
            $value,
            MCRYPT_MODE_CBC,
            $this->_iv
        )
    );
}

public function getEncrypted($key)
{
    if (isset($_SESSION[$key])) {
        $decrypt = mcrypt_decrypt(
            MCRYPT_3DES,
            $this->secretKey,
            pack(
                'H*',
                $_SESSION[$key]
            ),
            MCRYPT_MODE_CBC,
            $this->_iv
        );
        return rtrim($decrypt, "\0"); // remove null characters off of the end
    }
    return null;
}
0

精彩评论

暂无评论...
验证码 换一张
取 消