Code Away: PHP: Encrypting Session Data

Usually, encrypting session data is not necessary, however, if te data that you store in sessions is sensisitive, or you're questioning the security in your database, here's an example on how to do it.

The idea is simple, you'll just have to modify your functions that store and retrieve data to encrypt and decrypt the data.$sess_db is the database sesion.

<?php
 function get_sess_data($id)
    {
      global $_sess_db;

      $algorithm = MCRYPT_BLOWFISH;
      $mode = MCRYPT_MODE_CBC;

      $id = mysql_real_escape_string($id);

      $sql = "SELECT data FROM sessions
              WHERE  id = '$id'";

      if ($result = mysql_query($sql, $_sess_db))
      {
          $record = mysql_fetch_assoc($result);
          $data = base64_decode($record['data']);
          $iv_size = mcrypt_get_iv_size($algorithm, $mode);
          $ciphertext = substr($data, $iv_size);
          $iv = substr($data, 0, $iv_size);
          $crypt = new crypt();
          $crypt->iv = $iv;
          $crypt->ciphertext = $ciphertext;
          $crypt->decrypt();
          return $crypt->cleartext;
      }
      return '';
    }

    function _write($id, $data)
    {
      global $_sess_db;
      $access = time();
      $crypt = new crypt();
      $crypt->cleartext = $data;
      $crypt->generate_iv();
      $crypt->encrypt();
      $ciphertext = $crypt->ciphertext;
      $iv = $crypt->iv;
      $data = base64_encode($iv . $ciphertext);
      $id = mysql_real_escape_string($id);
      $access = mysql_real_escape_string($access);
      $data = mysql_real_escape_string($data);
      $sql = "REPLACE INTO  sessions
              VALUES ('$id', '$access', '$data')";
      return mysql_query($sql, $_sess_db);
     }
?>

Hope it helps.

Code Away

PHP: Encrypting Session Data

0 comments:

Archives