Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php
- /*
- * Secure Session Mgmt
- */
- class _session {
- private $_connection; //Connection settings (Must be a PDO object)
- private $r_stmt;// Variable to store the read statement
- private $w_stmt;// Variable to store the write statement
- private $delete_stmt;// Variable to store the delete statement
- private $gc_stmt; //Variable to store the Garbage collection statement s
- private $key_stmt; //Variable to store the get key stmt
- function __construct(&$connection) {
- //Set connection
- $this->_connection = $connection;
- // set our custom session functions.
- session_set_save_handler(
- array($this, 'open'),
- array($this, 'close'),
- array($this, 'read'),
- array($this, 'write'),
- array($this, 'destroy'),
- array($this, 'gc'));
- // This line prevents unexpected effects when using objects as save handlers.
- register_shutdown_function('session_write_close');
- }
- public function start_session($session_name, $secure) {
- // Make sure the session cookie is not accessable via javascript.
- $httponly = true;
- // Hash algorithm to use for the sessionid. (use hash_algos() to get a list of available hashes.)
- $session_hash = 'sha512';
- // Check if hash is available
- if (in_array($session_hash, hash_algos())) {
- // Set the has function.
- ini_set('session.hash_function', $session_hash);
- }
- // How many bits per character of the hash.
- // The possible values are '4' (0-9, a-f), '5' (0-9, a-v), and '6' (0-9, a-z, A-Z, "-", ",").
- ini_set('session.hash_bits_per_character', 5);
- // Force the session to only use cookies, not URL variables.
- ini_set('session.use_only_cookies', 1);
- // Get session cookie parameters
- $cookieParams = session_get_cookie_params();
- // Set the parameters
- session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly);
- // Change the session name
- session_name($session_name);
- // Now we cat start the session
- session_start();
- // This line regenerates the session and delete the old one.
- // It also generates a new encryption key in the database.
- session_regenerate_id(true);
- }
- public function open (){
- //Connection have already being set
- return true;
- }
- public function close(){
- //Connection can be unset by declaring the connection object to null
- //Or simply unset($connection)
- return true;
- }
- public function read($id){
- $qry = "SELECT data
- FROM sessions
- WHERE id = :id";
- //Prepare the qry only one time
- if (!isset($this->r_stmt)){
- $this->r_stmt = $this->_connection->prepare($qry);
- }
- $this->r_stmt->bindParam(':id', $id, PDO::PARAM_INT);
- if($this->r_stmt->execute()){
- //Fetch only one row from DB as $row ['data']
- $row = $this->r_stmt->fetch(PDO::FETCH_ASSOC);
- $key = $this->getkey($id);
- $data = $this->decrypt($row['data'], $key);
- return $data;
- }
- else{
- echo "Something went wrong! read();";
- return false;
- }
- }
- public function write($id, $data) {
- // Get unique key
- $key = $this->getkey($id);
- // Encrypt the data
- $data = $this->encrypt($data, $key);
- $time = time();
- $qry = "REPLACE
- INTO sessions (id,data,session_key,set_time)
- VALUES (:id,:data,:session,:time)";
- if(!isset($this->w_stmt)) {
- $this->w_stmt = $this->_connection->prepare($qry);
- }
- $this->w_stmt->bindParam(':id', $id, PDO::PARAM_INT);
- $this->w_stmt->bindParam(':time', $time, PDO::PARAM_STR);
- $this->w_stmt->bindParam(':data', $data, PDO::PARAM_STR);
- $this->w_stmt->bindParam(':session', $key, PDO::PARAM_STR);
- if($this->w_stmt->execute()){
- return true;
- }
- else{
- echo "Something went wrong! write();";
- return false;
- }
- }
- public function destroy($id) {
- $qry ="DELETE
- FROM sessions
- WHERE id = :id";
- if(!isset($this->delete_stmt)) {
- $this->delete_stmt = $this->_connection->prepare($qry);
- }
- $this->delete_stmt->bindParam(':id', $id, PDO::PARAM_INT);
- if($this->delete_stmt->execute()){
- return true;
- }
- else{
- echo "Something went wrong! delete();";
- return false;
- }
- }
- public function gc($max) {
- $qry = "DELETE
- FROM sessions
- WHERE set_time < :max";
- if(!isset($this->gc_stmt)) {
- $this->gc_stmt = $this->_connection->prepare($qry);
- }
- $old = time() - $max;
- $this->delete_stmt->bindParam(':old', $old, PDO::PARAM_INT);
- if($this->gc_stmt->execute()){
- return true;
- }
- else{
- echo "Something went wrong! gbc();";
- return false;
- }
- }
- private function getkey($id) {
- $qry = "SELECT session_key
- FROM sessions
- WHERE id = :id LIMIT 1";
- if(!isset($this->key_stmt)) {
- $this->key_stmt = $this->_connection->prepare($qry);
- }
- $this->key_stmt->bindParam(':id', $id, PDO::PARAM_INT);
- if($this->key_stmt->execute()){
- $row = $this->r_stmt->fetch(PDO::FETCH_ASSOC);
- if(count($row) != 1){
- return $row['session_key'];
- }
- else {
- $random_key = hash('sha512', uniqid(mt_rand(1, mt_getrandmax()), true));
- return $random_key;
- }
- }
- else {
- echo "Something went wrong! getkey();";
- return false;
- }
- }
- private function encrypt($data, $key) {
- $salt = 'cH!swe!retReGu7W6bEDRup7usuDUh9THeD2CHeGE*ewr4n39=E@rAsp7c-Ph@pH';
- $key = substr(hash('sha256', $salt.$key.$salt), 0, 32);
- $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
- $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
- $encrypted = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $data, MCRYPT_MODE_ECB, $iv));
- return $encrypted;
- }
- private function decrypt($data, $key) {
- $salt = 'cH!swe!retReGu7W6bEDRup7usuDUh9THeD2CHeGE*ewr4n39=E@rAsp7c-Ph@pH';
- $key = substr(hash('sha256', $salt.$key.$salt), 0, 32);
- $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
- $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
- $decrypted = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($data), MCRYPT_MODE_ECB, $iv);
- return $decrypted;
- }
- }
- //Connection Details
- $db_host = "localhost";
- $db_user = "root";
- $db_password = "";
- $db_database = "";
- $pdo = new PDO("mysql:host=$db_host;dbname=$db_database;charset=utf8", $db_user, $db_password);
- $session = new _session($pdo);
- // Set to true if using https
- $session->start_session('_s', false);
- $_SESSION['something'] = 'password';
- echo $_SESSION['something'];
- ?>
Add Comment
Please, Sign In to add comment