diff options
| author | Andrew <browner12@gmail.com> | 2014-02-11 09:55:48 +0100 |
|---|---|---|
| committer | Andrew <browner12@gmail.com> | 2014-02-11 09:55:48 +0100 |
| commit | b6d8b962e44202a74c9b9321a4a53f61a753fccf (patch) | |
| tree | 2d3c533a55964a0d124f7cd6bb1d3d98c7b84056 /system/libraries/Session/drivers | |
| parent | 41713aaa665189dd0a191c333c73c4a7b9f37c78 (diff) | |
| parent | 29e12641a1bb952f493462db6757ae12c7da1f2c (diff) | |
Merge branch 'develop' into patch-1
Conflicts:
system/libraries/Calendar.php
Diffstat (limited to 'system/libraries/Session/drivers')
| -rw-r--r-- | system/libraries/Session/drivers/Session_cookie.php | 69 |
1 files changed, 37 insertions, 32 deletions
diff --git a/system/libraries/Session/drivers/Session_cookie.php b/system/libraries/Session/drivers/Session_cookie.php index c8dfad6c9..79712ad94 100644 --- a/system/libraries/Session/drivers/Session_cookie.php +++ b/system/libraries/Session/drivers/Session_cookie.php @@ -240,7 +240,7 @@ class CI_Session_cookie extends CI_Session_driver { // Do we need encryption? If so, load the encryption class if ($this->sess_encrypt_cookie === TRUE) { - $this->CI->load->library('encrypt'); + $this->CI->load->library('encryption'); } // Check for database @@ -383,38 +383,41 @@ class CI_Session_cookie extends CI_Session_driver { return FALSE; } - $len = strlen($session) - 40; - - if ($len < 0) + if ($this->sess_encrypt_cookie === TRUE) { - log_message('debug', 'The session cookie was not signed.'); - return FALSE; + $session = $this->CI->encryption->decrypt($session); + if ($session === FALSE) + { + log_message('error', 'Session: Unable to decrypt the session cookie, possibly due to a HMAC mismatch.'); + return FALSE; + } } - - // Check cookie authentication - $hmac = substr($session, $len); - $session = substr($session, 0, $len); - - // Time-attack-safe comparison - $hmac_check = hash_hmac('sha1', $session, $this->encryption_key); - $diff = 0; - for ($i = 0; $i < 40; $i++) + else { - $diff |= ord($hmac[$i]) ^ ord($hmac_check[$i]); - } + if (($len = strlen($session) - 40) <= 0) + { + log_message('error', 'Session: The session cookie was not signed.'); + return FALSE; + } - if ($diff !== 0) - { - log_message('error', 'The session cookie data did not match what was expected.'); - $this->sess_destroy(); - return FALSE; - } + // Check cookie authentication + $hmac = substr($session, $len); + $session = substr($session, 0, $len); - // Check for encryption - if ($this->sess_encrypt_cookie === TRUE) - { - // Decrypt the cookie data - $session = $this->CI->encrypt->decode($session); + // Time-attack-safe comparison + $hmac_check = hash_hmac('sha1', $session, $this->encryption_key); + $diff = 0; + for ($i = 0; $i < 40; $i++) + { + $diff |= ord($hmac[$i]) ^ ord($hmac_check[$i]); + } + + if ($diff !== 0) + { + log_message('error', 'Session: HMAC mismatch. The session cookie data did not match what was expected.'); + $this->sess_destroy(); + return FALSE; + } } // Unserialize the session array @@ -731,11 +734,13 @@ class CI_Session_cookie extends CI_Session_driver { if ($this->sess_encrypt_cookie === TRUE) { - $cookie_data = $this->CI->encrypt->encode($cookie_data); + $cookie_data = $this->CI->encryption->encrypt($cookie_data); + } + else + { + // Require message authentication + $cookie_data .= hash_hmac('sha1', $cookie_data, $this->encryption_key); } - - // Require message authentication - $cookie_data .= hash_hmac('sha1', $cookie_data, $this->encryption_key); $expire = ($this->sess_expire_on_close === TRUE) ? 0 : $this->sess_expiration + time(); |