/**
* tries to secure session from hijacking and fixation
* should be called before login and after successful login
* (only required if sensitive information stored in session)
*
* @return void
*/
function PMA_secureSession()
{
// prevent session fixation and XSS
if (session_status() === PHP_SESSION_ACTIVE) {
session_regenerate_id(true);
}
$_SESSION[' PMA_token '] = bin2hex(phpseclib\Crypt\Random::string(16));
}
/**
* tries to secure session from hijacking and fixation
* should be called before login and after successful login
* (only required if sensitive information stored in session)
*
* @return void
*/
function PMA_secureSession()
{
// prevent session fixation and XSS
// (better to use session_status() if available)
if (PMA_PHP_INT_VERSION >= 50400 && session_status() === PHP_SESSION_ACTIVE || PMA_PHP_INT_VERSION < 50400 && session_id() !== '') {
session_regenerate_id(true);
}
$_SESSION[' PMA_token '] = bin2hex(phpseclib\Crypt\Random::string(16));
}
/**
* tries to secure session from hijacking and fixation
* should be called before login and after successful login
* (only required if sensitive information stored in session)
*
* @return void
*/
function PMA_secureSession()
{
// prevent session fixation and XSS
if (session_status() === PHP_SESSION_ACTIVE && !defined('TESTSUITE')) {
session_regenerate_id(true);
}
if (!function_exists('openssl_random_pseudo_bytes')) {
$_SESSION[' PMA_token '] = bin2hex(phpseclib\Crypt\Random::string(16));
} else {
$_SESSION[' PMA_token '] = bin2hex(openssl_random_pseudo_bytes(16));
}
}
/**
* Generates PMA_token session variable.
*
* @return void
*/
function PMA_generateToken()
{
if (class_exists('phpseclib\\Crypt\\Random')) {
$_SESSION[' PMA_token '] = bin2hex(phpseclib\Crypt\Random::string(16));
} else {
$_SESSION[' PMA_token '] = bin2hex(openssl_random_pseudo_bytes(16));
}
/**
* Check if token is properly generated (the genration can fail, for example
* due to missing /dev/random for openssl).
*/
if (empty($_SESSION[' PMA_token '])) {
PMA_fatalError('Failed to generate random CSRF token!');
}
}
setcookie($session_name, '', 1);
$errors = $GLOBALS['error_handler']->sliceErrors($orig_error_count);
PMA_sessionFailed($errors);
}
unset($orig_error_count, $session_result);
/**
* Disable setting of session cookies for further session_start() calls.
*/
@ini_set('session.use_cookies', 'true');
/**
* Token which is used for authenticating access queries.
* (we use "space PMA_token space" to prevent overwriting)
*/
if (!isset($_SESSION[' PMA_token '])) {
if (!function_exists('openssl_random_pseudo_bytes')) {
$_SESSION[' PMA_token '] = bin2hex(phpseclib\Crypt\Random::string(16));
} else {
$_SESSION[' PMA_token '] = bin2hex(openssl_random_pseudo_bytes(16));
}
/**
* Check for disk space on session storage by trying to write it.
*
* This seems to be most reliable approach to test if sessions are working,
* otherwise the check would fail with custom session backends.
*/
$orig_error_count = $GLOBALS['error_handler']->countErrors();
session_write_close();
if ($GLOBALS['error_handler']->countErrors() > $orig_error_count) {
$errors = $GLOBALS['error_handler']->sliceErrors($orig_error_count);
PMA_sessionFailed($errors);
}
<?php include '../phpseclib/vendor/autoload.php'; $plaintext = 'Something very secret.'; $password = '******'; $ivSize = 8; $randomIV = phpseclib\Crypt\Random::string($ivSize); echo 'Plaintext: ' . $plaintext . "\r\n"; //Create new RC2 object for encrypting $rc2_encrypt = new \phpseclib\Crypt\RC2(\phpseclib\Crypt\RC2::MODE_CBC); //set OPENSSL as preferred engine $rc2_encrypt->setPreferredEngine(phpseclib\Crypt\RC2::ENGINE_OPENSSL); //set keylength to 256 $rc2_encrypt->setKeyLength(256); //set pbkdf2 with sha512 and 4096 iterations as password hashing method $rc2_encrypt->setPassword($password, 'pbkdf2', 'sha512', NULL, 4096); $rc2_encrypt->setIV($randomIV); $ciphertext_raw = $rc2_encrypt->encrypt($plaintext); echo 'Ciphertext(RAW): ' . $ciphertext_raw . "\r\n"; $ciphertext = base64_encode($randomIV . $ciphertext_raw); echo 'Ciphertext(base64): ' . $ciphertext . "\r\n"; //Create new RC2 object for decryption $rc2_decrypt = new phpseclib\Crypt\RC2(\phpseclib\Crypt\RC2::MODE_CBC); //set OPENSSL as preferred engine $rc2_decrypt->setPreferredEngine(phpseclib\Crypt\RC2::ENGINE_OPENSSL); //set key length to 256 $rc2_decrypt->setKeyLength(256); //set pbkdf2 with sha512 and 4096 iterations as password hashing method $rc2_decrypt->setPassword($password, 'pbkdf2', 'sha512', NULL, 4096); $ciphertext_decoded = base64_decode($ciphertext); $rc2_decrypt->setIV(substr($ciphertext_decoded, 0, $ivSize));
