/**
* Save session
* @return void
*/
protected function saveSession()
{
$value = Slim_Http_Util::encodeSecureCookie(serialize($_SESSION), $this->settings['expires'], $this->settings['secret'], $this->settings['cipher'], $this->settings['cipher_mode']);
if (strlen($value) > 4096) {
$this->app->getLog()->error('WARNING! Slim_Middleware_SessionCookie data size is larger than 4KB. Content save failed.');
} else {
$this->app->response()->setCookie($this->settings['name'], array('value' => $value, 'domain' => $this->settings['domain'], 'path' => $this->settings['path'], 'expires' => $this->settings['expires'], 'secure' => $this->settings['secure'], 'httponly' => $this->settings['httponly']));
}
session_destroy();
}
/**
* Set an encrypted Cookie
*
* @param string $name The cookie name
* @param mixed $value The cookie value
* @param mixed $expires The duration of the cookie;
* If integer, should be UNIX timestamp;
* If string, converted to UNIX timestamp with `strtotime`;
* @param string $path The path on the server in which the cookie will be available on
* @param string $domain The domain that the cookie is available to
* @param bool $secure Indicates that the cookie should only be transmitted over a secure
* HTTPS connection from the client
* @param bool $httponly When TRUE the cookie will be made accessible only through the HTTP protocol
* @return void
*/
public function setEncryptedCookie($name, $value, $expires = null, $path = null, $domain = null, $secure = null, $httponly = null)
{
$expires = is_null($expires) ? $this->config('cookies.lifetime') : $expires;
if (is_string($expires)) {
$expires = strtotime($expires);
}
$secureValue = Slim_Http_Util::encodeSecureCookie($value, $expires, $this->config('cookies.secret_key'), $this->config('cookies.cipher'), $this->config('cookies.cipher_mode'));
$this->setCookie($name, $secureValue, $expires, $path, $domain, $secure, $httponly);
}
/**
* Test encode/decode secure cookie with tampered data
*
* In this test, the encoded data is purposefully changed to simulate someone
* tampering with the client-side cookie data. When decoding the encoded cookie value,
* FALSE is returned since the verification key will not match.
*/
public function testEncodeAndDecodeSecureCookieWithTamperedData()
{
$value = 'foo';
$expires = time() + 86400;
$secret = 'password';
$algorithm = MCRYPT_RIJNDAEL_256;
$mode = MCRYPT_MODE_CBC;
$encodedValue = Slim_Http_Util::encodeSecureCookie($value, $expires, $secret, $algorithm, $mode);
$encodedValueParts = explode('|', $encodedValue);
$encodedValueParts[1] = $encodedValueParts[1] . 'changed';
$encodedValue = implode('|', $encodedValueParts);
$decodedValue = Slim_Http_Util::decodeSecureCookie($encodedValue, $secret, $algorithm, $mode);
$this->assertFalse($decodedValue);
}
/**
* Save session
* @param int $status
* @param array $header
* @param string $body
* @return array[status, header, body]
*/
protected function saveSession(&$env, $status, $header, $body)
{
$r = new Slim_Http_Response($body, $status, $header);
$value = Slim_Http_Util::encodeSecureCookie(serialize($_SESSION), $this->settings['expires'], $this->settings['secret'], $this->settings['cipher'], $this->settings['cipher_mode']);
if (strlen($value) > 4096) {
fwrite($env['slim.errors'], 'WARNING! Slim_Middleware_SessionCookie data size is larger than 4KB. Content save failed.');
} else {
$r->setCookie($this->settings['name'], $value, $this->settings['expires'], $this->settings['path'], $this->settings['domain'], $this->settings['secure'], $this->settings['httponly']);
}
return $r->finalize();
}
