2017 © Pedro Peláez
 

library mysql-pdo-secure-session-handler

Mysql secure session handler with openssl encryption of session data and 'per session' based lifetime.

image

drnasin/mysql-pdo-secure-session-handler

Mysql secure session handler with openssl encryption of session data and 'per session' based lifetime.

  • Tuesday, May 30, 2017
  • by drnasin
  • Repository
  • 1 Watchers
  • 1 Stars
  • 2 Installations
  • PHP
  • 0 Dependents
  • 0 Suggesters
  • 0 Forks
  • 0 Open issues
  • 1 Versions
  • 0 % Grown

The README.md

License: MIT, (*1)

About

This is a mysql pdo secure session handler with openssl encryption/decryption of session data., (*2)

Cipher mode used for enryption/decryption is AES-256-CBC., (*3)

CBC has an IV and thus needs randomness every time a message is encrypted, changing a part of the message requires re-encrypting everything after the change, transmission errors in one ciphertext block completely destroy the plaintext and change the decryption of the next block, decryption can be parallelized / encryption can't, the plaintext is malleable to a certain degree., (*4)

Features

  1. openssl encryption of session data using AES-256-CBC cipher, "encryption key" and initialisation vector("IV") - "IV" is needed because of the default cipher mode (CBC)
  2. when session is being created so is the "IV" for that session. "IV "is then stored in the database as binary data
  3. lifetime of a session is kept in the database because - can't be tampered with that easily - calculation of the sessions expiration can be left to the database (faster) (example: DELETE FROM sessions WHERE (modified + INTERVAL lifetime SECOND) < NOW())

Usage

Generate your encryption key using: openssl rand -base64 -out tests/encryption.key 180 (recommended key length is 128 - 256 bits) then check the included example., (*5)

Encryption

As per cipher mode used (CBC in this case) data are encrypted using:\ - provided encryption key \ - initialisation vector (IV) - generated for every session as a string of (pseudo)bytes, length is in colleration with\ cipher mode used (AES = 256 bits = 32 bytes -> meaning: generated "IV" has to be 32 bytes long), (*6)

Database

@see SessionHandler::createTable(), (*7)

https://github.com/drnasin/mysql-pdo-secure-session-handler/blob/336143844bd89ee88daa2ff20058798f742c83f3/src/Drnasin/Session/SessionHandler.php#L373, (*8)

Usage

composer require drnasin/mysql-pdo-secure-session-handler, (*9)

or git clone the repo., (*10)

Example

check example.php, (*11)

If you need any help let me know. Just use the "Issues" tab..., (*12)

Tests

Update database variables in tests/phpunit.xml, then, (*13)

run: composer tests, (*14)

Code coverage

Code coverage will be generated in tests/code-coverage-report directory., (*15)

The Versions

30/05 2017

dev-master

9999999-dev https://github.com/drnasin/mysql-pdo-secure-session-handler

Mysql secure session handler with openssl encryption of session data and 'per session' based lifetime.

  Sources   Download

MIT

The Requires

  • php >=5.6
  • ext-pdo_mysql >=5.6
  • ext-openssl >=5.6

 

The Development Requires

by Ante Drnasin

php pdo mysql encryption session openssl secure encrypted session handler session data