patternphpMinor
Php session wrapper class
Viewed 0 times
phpwrapperclasssession
Problem
```
class session{
//variabile folosite
private static $_sessionStarted = false;
private static $_crypt = 'qwerty347658@$%AdfSV045*&erT2Erb%6w!07&[.?;ru';
private static $_salt = 'qwertyAF347658@$%AdfSV045*&erTyUsdfYtrLmncBGhu';
private static $_rand = 'abcdefghijklmnoqprstuvxwz0123456789!@#$%^&*()_-=;:<>,.';
private static $_rand_pass;
//pornire sesiune, setari(http only, folosire cookie,generare pass random, modificare folder sesiuni)
public static function start(){
ini_set('session.cookie_httponly',1);
ini_set('session.use_only_cookies',1);
session_save_path(SESS_PATH);
ini_set('session.gc_probability', 2);
ini_set('session.gc_divisor', 100);
ini_set('session.gc_maxlifetime', 1440);
if(self::$_sessionStarted == false){
session_start();
self::$_sessionStarted = true;
self::rand_pass(self::$_rand);
self::set('bad_ideea:D', self::$_rand_pass);
}
session_regenerate_id(true);
}
//sesion destroy, stergem toate sesiunile
public static function stop(){
if(self::$_sessionStarted == true){
foreach($_SESSION as $k){
unset($_SESSION[$k]);
}
session_destroy();
}
}
//setare sesiuni, folosim array asociativ multidimensional
public static function set($key, $value){
$_SESSION[$key] = $value;
}
//setare array associtiv doar criptat folosind aes 128 biti(pt informatii confidentiale)
public static function set_e($key, $value){
$_SESSION[$key] = self::encrypt($value);
}
// returnam valoare aaray asociativ multidimensional
public static function get($key, $secondKey = false){
if($secondKey == true){
if(isset($_SESSION[$key][$secondKey])){
return $_SESSION[$key][$secondKey];
}
}else{
if(isset($_SESSION[$key])){
return $_SESSION[$key];
}
}
return false;
}
//returnam valoare decriptata array asociativ
public static function get_e($key, $secondKey = false){
if(isset($_SESSION[$key])
class session{
//variabile folosite
private static $_sessionStarted = false;
private static $_crypt = 'qwerty347658@$%AdfSV045*&erT2Erb%6w!07&[.?;ru';
private static $_salt = 'qwertyAF347658@$%AdfSV045*&erTyUsdfYtrLmncBGhu';
private static $_rand = 'abcdefghijklmnoqprstuvxwz0123456789!@#$%^&*()_-=;:<>,.';
private static $_rand_pass;
//pornire sesiune, setari(http only, folosire cookie,generare pass random, modificare folder sesiuni)
public static function start(){
ini_set('session.cookie_httponly',1);
ini_set('session.use_only_cookies',1);
session_save_path(SESS_PATH);
ini_set('session.gc_probability', 2);
ini_set('session.gc_divisor', 100);
ini_set('session.gc_maxlifetime', 1440);
if(self::$_sessionStarted == false){
session_start();
self::$_sessionStarted = true;
self::rand_pass(self::$_rand);
self::set('bad_ideea:D', self::$_rand_pass);
}
session_regenerate_id(true);
}
//sesion destroy, stergem toate sesiunile
public static function stop(){
if(self::$_sessionStarted == true){
foreach($_SESSION as $k){
unset($_SESSION[$k]);
}
session_destroy();
}
}
//setare sesiuni, folosim array asociativ multidimensional
public static function set($key, $value){
$_SESSION[$key] = $value;
}
//setare array associtiv doar criptat folosind aes 128 biti(pt informatii confidentiale)
public static function set_e($key, $value){
$_SESSION[$key] = self::encrypt($value);
}
// returnam valoare aaray asociativ multidimensional
public static function get($key, $secondKey = false){
if($secondKey == true){
if(isset($_SESSION[$key][$secondKey])){
return $_SESSION[$key][$secondKey];
}
}else{
if(isset($_SESSION[$key])){
return $_SESSION[$key];
}
}
return false;
}
//returnam valoare decriptata array asociativ
public static function get_e($key, $secondKey = false){
if(isset($_SESSION[$key])
Solution
-
You said in a comment that you're storing half of the encryption key alongside the data the data you're encrypting, and the other half in the code itself. What's the point of that? If they have access to the PHP files, they probably have access to the session files, too.
-
There's basically no point in calling srand() with no arguments. It doesn't make its output "more random". Relevant
-
The issue with calling session_regenerate_id with every page load is that if you have two pages loading from the same user at the same time, the user will get logged out.
Here's an example:
You said in a comment that you're storing half of the encryption key alongside the data the data you're encrypting, and the other half in the code itself. What's the point of that? If they have access to the PHP files, they probably have access to the session files, too.
-
There's basically no point in calling srand() with no arguments. It doesn't make its output "more random". Relevant
-
The issue with calling session_regenerate_id with every page load is that if you have two pages loading from the same user at the same time, the user will get logged out.
Here's an example:
- User sends "GET /page1" and "Cookie: session=cookie1"
- User sends "GET /page2" and "Cookie: session=cookie1"
- Server receives request for page1; Server changes cookie, sends back "Set-Cookie: session=cookie2".
- User receives new cookie and saves it, but it is too late.
- Server receives request for page2; since cookie1 != cookie2, the request fails and the user is redirected to the login page.
Context
StackExchange Code Review Q#18577, answer score: 4
Revisions (0)
No revisions yet.