Cookie handling on first session start about php-secure-session HOT 6 CLOSED

@gollumben At one point I was working on just this issue, not sure if this is helpful but I do have a PR to a local branch which may have some code which would help you. https://github.com/hardyjohnson/PHP-Secure-Session/pull/2/files

from php-secure-session.

@gollumben ok, we need a unit test for this case. Can you provide one? Otherwise I can work on it. Let me know, thanks!

Regarding the question about security, the reason we store the key in the client (browser) using the cookies is to separate it from the encrypted data that are stored in the server. To protect cookies you can use HTTPS and limit the scope to a specific domain, in this article you can find more info about cookies security.

from php-secure-session.

Sorry for the late reply. Here is a minimal working example. It is important that you close your browser and open it again, since the cookies have to be deleted. You should see an error of the type

Fatal error: Uncaught RuntimeException: Authentication failed in /var/www/html/securesession/vendor/ezimuel/php-secure-session/src/SecureHandler.php:125 Stack trace: #0 /var/www/html/securesession/vendor/ezimuel/php-secure-session/src/SecureHandler.php(63): PHPSecureSession\SecureHandler->decrypt('\xAF\xDD\xCD\xDF\x01A8$\xE1\x1A\xB8y\n\xD0~...', '\x86\x8A\xB0\xBC{\xB9u\x08\x88\x8F\xFD\xA8}\xCB\xEF...') #1 [internal function]: PHPSecureSession\SecureHandler->read('hpjckkp8cjfdoh6...') #2 /var/www/html/securesession/vendor/ezimuel/php-secure-session/test/demo/index.php(26): session_start() #3 {main} thrown in /var/www/html/securesession/vendor/ezimuel/php-secure-session/src/SecureHandler.php on line 125

If you reload, the error should be gone.

<?php
ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(E_ALL);

ini_set('session.save_handler', 'files');

$autoload = __DIR__ . '/../../../../../vendor/autoload.php';
if (! file_exists($autoload)) {
  echo "You need to execute <strong>composer install</strong>!";
  exit;
}
require_once $autoload;

// change the default session folder in a temporary dir
session_save_path(sys_get_temp_dir());
session_start();
session_write_close();

session_start();//this is where things fail, as the key is not registered in the cookies, so it is generated randomly again and does not match the previous key
session_write_close();

echo "End of file";
?>

For me, this error is not apparent, if applying the changes I suggested.

from php-secure-session.

@gollumben We need to transform this in a unit test, I will work on it.

from php-secure-session.

@gollumben I solved the issue providing a unit test with commit 6ddb28c /cc @hardyjohnson

from php-secure-session.

Cheers!

from php-secure-session.