/** * Set encrypted HTTP cookie * * @param string $name The cookie name * @param mixed $value The cookie value * @param mixed $expires The duration of the cookie; * If integer, should be UNIX timestamp; * If string, converted to UNIX timestamp with `strtotime`; * @param string $path The path on the server in which the cookie will be available on * @param string $domain The domain that the cookie is available to * @param bool $secure Indicates that the cookie should only be transmitted over a secure * HTTPS connection from the client * @param bool $httponly When TRUE the cookie will be made accessible only through the HTTP protocol */ public function setEncryptedCookie($name, $value, $expires = null, $path = null, $domain = null, $secure = null, $httponly = null) { $expires = is_null($expires) ? $this->config('cookies.lifetime') : $expires; if (is_string($expires)) { $expires = strtotime($expires); } $secureValue = \Slim\Http\Util::encodeSecureCookie($value, $expires, $this->config('cookies.secret_key'), $this->config('cookies.cipher'), $this->config('cookies.cipher_mode')); $this->setCookie($name, $secureValue, $expires, $path, $domain, $secure, $httponly); }
/** * Test encode/decode secure cookie with tampered data * * In this test, the encoded data is purposefully changed to simulate someone * tampering with the client-side cookie data. When decoding the encoded cookie value, * FALSE is returned since the verification key will not match. */ public function testEncodeAndDecodeSecureCookieWithTamperedData() { $value = 'foo'; $expires = time() + 86400; $secret = 'password'; $algorithm = MCRYPT_RIJNDAEL_256; $mode = MCRYPT_MODE_CBC; $encodedValue = \Slim\Http\Util::encodeSecureCookie($value, $expires, $secret, $algorithm, $mode); $encodedValueParts = explode('|', $encodedValue); $encodedValueParts[1] = $encodedValueParts[1] . 'changed'; $encodedValue = implode('|', $encodedValueParts); $decodedValue = \Slim\Http\Util::decodeSecureCookie($encodedValue, $secret, $algorithm, $mode); $this->assertFalse($decodedValue); }
/** * Save session */ protected function saveSession() { $value = \Slim\Http\Util::encodeSecureCookie(serialize($_SESSION), $this->settings['expires'], $this->settings['secret'], $this->settings['cipher'], $this->settings['cipher_mode']); if (strlen($value) > 4096) { $this->app->getLog()->error('WARNING! Slim\\Middleware\\SessionCookie data size is larger than 4KB. Content save failed.'); } else { $this->app->response()->setCookie($this->settings['name'], array('value' => $value, 'domain' => $this->settings['domain'], 'path' => $this->settings['path'], 'expires' => $this->settings['expires'], 'secure' => $this->settings['secure'], 'httponly' => $this->settings['httponly'])); } session_destroy(); }