/** * tries to secure session from hijacking and fixation * should be called before login and after successful login * (only required if sensitive information stored in session) * * @return void */ function PMA_secureSession() { // prevent session fixation and XSS if (session_status() === PHP_SESSION_ACTIVE) { session_regenerate_id(true); } $_SESSION[' PMA_token '] = bin2hex(phpseclib\Crypt\Random::string(16)); }
/** * tries to secure session from hijacking and fixation * should be called before login and after successful login * (only required if sensitive information stored in session) * * @return void */ function PMA_secureSession() { // prevent session fixation and XSS // (better to use session_status() if available) if (PMA_PHP_INT_VERSION >= 50400 && session_status() === PHP_SESSION_ACTIVE || PMA_PHP_INT_VERSION < 50400 && session_id() !== '') { session_regenerate_id(true); } $_SESSION[' PMA_token '] = bin2hex(phpseclib\Crypt\Random::string(16)); }
/** * tries to secure session from hijacking and fixation * should be called before login and after successful login * (only required if sensitive information stored in session) * * @return void */ function PMA_secureSession() { // prevent session fixation and XSS if (session_status() === PHP_SESSION_ACTIVE && !defined('TESTSUITE')) { session_regenerate_id(true); } if (!function_exists('openssl_random_pseudo_bytes')) { $_SESSION[' PMA_token '] = bin2hex(phpseclib\Crypt\Random::string(16)); } else { $_SESSION[' PMA_token '] = bin2hex(openssl_random_pseudo_bytes(16)); } }
/** * Generates PMA_token session variable. * * @return void */ function PMA_generateToken() { if (class_exists('phpseclib\\Crypt\\Random')) { $_SESSION[' PMA_token '] = bin2hex(phpseclib\Crypt\Random::string(16)); } else { $_SESSION[' PMA_token '] = bin2hex(openssl_random_pseudo_bytes(16)); } /** * Check if token is properly generated (the genration can fail, for example * due to missing /dev/random for openssl). */ if (empty($_SESSION[' PMA_token '])) { PMA_fatalError('Failed to generate random CSRF token!'); } }
setcookie($session_name, '', 1); $errors = $GLOBALS['error_handler']->sliceErrors($orig_error_count); PMA_sessionFailed($errors); } unset($orig_error_count, $session_result); /** * Disable setting of session cookies for further session_start() calls. */ @ini_set('session.use_cookies', 'true'); /** * Token which is used for authenticating access queries. * (we use "space PMA_token space" to prevent overwriting) */ if (!isset($_SESSION[' PMA_token '])) { if (!function_exists('openssl_random_pseudo_bytes')) { $_SESSION[' PMA_token '] = bin2hex(phpseclib\Crypt\Random::string(16)); } else { $_SESSION[' PMA_token '] = bin2hex(openssl_random_pseudo_bytes(16)); } /** * Check for disk space on session storage by trying to write it. * * This seems to be most reliable approach to test if sessions are working, * otherwise the check would fail with custom session backends. */ $orig_error_count = $GLOBALS['error_handler']->countErrors(); session_write_close(); if ($GLOBALS['error_handler']->countErrors() > $orig_error_count) { $errors = $GLOBALS['error_handler']->sliceErrors($orig_error_count); PMA_sessionFailed($errors); }
<?php include '../phpseclib/vendor/autoload.php'; $plaintext = 'Something very secret.'; $password = '******'; $ivSize = 8; $randomIV = phpseclib\Crypt\Random::string($ivSize); echo 'Plaintext: ' . $plaintext . "\r\n"; //Create new RC2 object for encrypting $rc2_encrypt = new \phpseclib\Crypt\RC2(\phpseclib\Crypt\RC2::MODE_CBC); //set OPENSSL as preferred engine $rc2_encrypt->setPreferredEngine(phpseclib\Crypt\RC2::ENGINE_OPENSSL); //set keylength to 256 $rc2_encrypt->setKeyLength(256); //set pbkdf2 with sha512 and 4096 iterations as password hashing method $rc2_encrypt->setPassword($password, 'pbkdf2', 'sha512', NULL, 4096); $rc2_encrypt->setIV($randomIV); $ciphertext_raw = $rc2_encrypt->encrypt($plaintext); echo 'Ciphertext(RAW): ' . $ciphertext_raw . "\r\n"; $ciphertext = base64_encode($randomIV . $ciphertext_raw); echo 'Ciphertext(base64): ' . $ciphertext . "\r\n"; //Create new RC2 object for decryption $rc2_decrypt = new phpseclib\Crypt\RC2(\phpseclib\Crypt\RC2::MODE_CBC); //set OPENSSL as preferred engine $rc2_decrypt->setPreferredEngine(phpseclib\Crypt\RC2::ENGINE_OPENSSL); //set key length to 256 $rc2_decrypt->setKeyLength(256); //set pbkdf2 with sha512 and 4096 iterations as password hashing method $rc2_decrypt->setPassword($password, 'pbkdf2', 'sha512', NULL, 4096); $ciphertext_decoded = base64_decode($ciphertext); $rc2_decrypt->setIV(substr($ciphertext_decoded, 0, $ivSize));