public function unserialize($signed_data) { if (!is_scalar($signed_data)) { return NULL; } if (strpos($signed_data, '.') === FALSE) { return NULL; } list($encoded_sig, $payload) = explode('.', $signed_data, 2); $sig = self::base64UrlDecode($encoded_sig); $data = parent::unserialize($payload); $expected_sig = hash_hmac('sha256', $payload, $this->__secret, $raw = true); if ($sig !== $expected_sig) { return NULL; } return $data; }