I'd like to have sessions data encrypted like they are in suhosin, is there any library out there providing that?
php session encryption
4.6k Views Asked by Paul At
2
There are 2 best solutions below
0
d.raev
On
There exampleimplementation for Zend Framework here: http://www.eschrade.com/page/encrypted-session-handler-4ce2fce4/
the important functions for reference:
// $this->secredKey is stored in a cookie
// $this->_iv is created at the start
public function setEncrypted($key, $value)
{
$_SESSION[$key] = bin2hex(
mcrypt_encrypt(
MCRYPT_3DES,
$this->secretKey,
$value,
MCRYPT_MODE_CBC,
$this->_iv
)
);
}
public function getEncrypted($key)
{
if (isset($_SESSION[$key])) {
$decrypt = mcrypt_decrypt(
MCRYPT_3DES,
$this->secretKey,
pack(
'H*',
$_SESSION[$key]
),
MCRYPT_MODE_CBC,
$this->_iv
);
return rtrim($decrypt, "\0"); // remove null characters off of the end
}
return null;
}
Related Questions in PHP
- How to add the dynamic new rows from my registration form in my database?
- Issue in payment form gateway
- How to create a facet for WP gridbuilder that displays both parent and child custom fields?
- Function in anonymous Laravel Blade component
- How to change woocomerce or full wordpress currency with value from USD to AUD
- General questions about creating a custom theme Moodle CMS
- How to add logging to an abstract class in php
- error 500 on IIS FastCGI but no clue despite multiple error loggings activated
- Composer installation fails and reverts ./composer.json and ./composer.lock to original content
- How to isolate PHP apps from each other on a local machine(Windows or Linux)?
- Laravel: Using belongsToMany relationship with MongoDB
- window.location.href redirects but is causing problems on the webpage
- Key provided is shorter than 256 bits, only 64 bits provided
- Laravel's whereBetween method not working with two timestamps
- Implementing UUID as primary key in Laravel intermediate table
Related Questions in SECURITY
- HTTPS configuration in Spring Boot, server returning timeout
- HSM ZKA control mask values
- OWASP Amass Subcommands
- Is there a need for BPF Linux namespace?
- Error when trying to execute a binary compiled in a Kali Linux machine on an Ubuntu system
- When sanitize/encode while implementing tags system like on SO
- spring security version in spring-boot-starter-security
- I am currently trying to implement a rudimentary firewall from a video I watched but the nimda worm detection is not working and i do not know why?
- Is it possible for `sudo` to fail temporarily with the correct password? Hacking suspected
- Is it viable proxying all my mobile apps requests, to some kind knowing that a request is coming from a secure source
- What abilities should I concentrate on while bug hunting, and how can I improve the quality of my bug bounty reports?
- System.ArgumentOutOfRangeException: I passed this error in every single program
- How to prevent users from creating custom client apps?
- Does server-side content security policy exist for youtube video player API, app, mod apks and website?
- Can we pass a hostname/IP address as a query string in a GET request in REST API
Related Questions in ENCRYPTION
- Is TLS enough for client server encryption or if dealing with sensitive data, its better to add ur own encryption also. for example leverage AWS SSM?
- Secure Messaging Implementation in C#
- File splitting and encryption
- Large file processing in the web browser
- Java code of AES/GCM/NoPadding encryption algorithm with authentication tag
- AES-256-CBC encryption returning different result in Python and PHP , HELPPP
- Why are encrypted stored procedures taking a long time to execute in SQL Server 2022?
- Why/How does Apache auto-include "DHE" TLS1.2 ciphers while nginx needs "dhparams" file?
- Encrypt in Single Store and Decrypt in SQL Server
- Is it possible to develop a Transparent Data Encryption(TDE) system on macOS now?
- How can I ensure incremental changes in deciphered messages in Python substitution cipher decoding?
- Getting Error Message as "the input string is not a complete block" while Decryting using AES
- Laravel: How to fix "the MAC is invalid" on local environment
- How to encrypt a string and decrypt it using a password
- Willena's sqlite-jdbc-crypt driver for sqlite3 database encryption
Related Questions in SESSION
- Multiple Processes, Multiple Processors, Single Priority Queue - Java Thread-Safe and Concurrency -
- Securing routes with sessionStorage in NextJS
- Cant handle Session's cookie when Safari/iOS
- Quart_Sessions Redis deletes keys and create backups instead
- I cannot get ID from session in GET method in Next.js 14
- I am new to flutter, just trying to set and get logged in user's session but maybe I am missing something
- I'm going nuts with Heroku session management issues
- Have a problem with get session in nextjs
- Session custom property getting undefined when calling Node js API from Javascript fetch
- Best Approach for Preserving User Input Across Blazor Pages in ASP.NET Core Application with User-Specific Data Storage
- spring security + form login + redis session storage -> keep coming out anonymous User
- Check user login in backend
- Next.js Middleware for Session Authentication Redirects: Errors Encountered
- Ansible prompt "No existing session" in manual executing the playbook
- Running a program on different computers with different users that access a central database simultaneously - VB.NET XAMPP/MySQL
Related Questions in SUHOSIN
- Disable PHP eval in Virtualhost per location
- WP ACF plugin max_vars issue (PHP suhosin)
- Suhosin and disable eval function
- suhosin class method whitelist
- How to secure CentOS with PHP7 server without suhosin?
- Load extension automatically in PHP5 ubuntu
- Why doesn't suhosin.executor.disable_emodifier work?
- PHP modify suhosin settings on runtime
- Suhosin and disable eval
- Shell Exec disabled
- increasing post vars limit in php with suhosin is not working
- Magento save only 325 attribute values
- What suhosin patch works with php 5.3.28?
- How to write my own mt_rand() & mt_srand?
- how do I fix my suhosin.so error
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular # Hahtags
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
You could easily use mcrypt or a custom AES encryption to encrypt session data. The best bet would to create a session wrapper class that encrypts variables when you set them.
For key management, you could create a unique key and store it in a cookie, so that only the user can decrypt their own session data.