class HybridSessionStore_Crypto (View source)

Class HybridSessionStore_Crypto Some cryptography used for Session cookie encryption. Requires the OpenSSL PHP extension.

Properties

public $salt

Methods

public
__construct($key, $salt)

No description

public
string
encrypt($cleartext)

Encrypt and then sign some cleartext

public
bool|string
decrypt($data)

Check the signature on an encrypted-and-signed message, and if valid decrypt the content

Details

__construct($key, $salt)

No description

Parameters

$key

a per-site secret string which is used as the base encryption key.

$salt

a per-session random string which is used as a salt to generate a per-session key

The base encryption key needs to stay secret. If an attacker ever gets it, they can read their session, and even modify & re-sign it.

The salt is a random per-session string that is used with the base encryption key to create a per-session key. This (amongst other things) makes sure an attacker can't use a known-plaintext attack to guess the key.

Normally we could create a salt on encryption, send it to the client as part of the session (it doesn't need to remain secret), then use the returned salt to decrypt. But we already have the Session ID which makes a great salt, so no need to generate & handle another one.

string encrypt($cleartext)

Encrypt and then sign some cleartext

Parameters

$cleartext
  • The cleartext to encrypt and sign

Return Value

string
  • The encrypted-and-signed message as base64 ASCII.

bool|string decrypt($data)

Check the signature on an encrypted-and-signed message, and if valid decrypt the content

Parameters

$data
  • The encrypted-and-signed message as base64 ASCII

Return Value

bool|string
  • The decrypted cleartext or false if signature failed