Matthew Knowlton - 2015-05-13 17:17:38 -
In reply to message 1 from Dave Smith
Thank you for your suggestion, it has been implemented.
Passing a boolean true as the first parameter when initalizing the class. The second parameter is an optional salt.
However, some things to note that keep your site protected with this class even if the session is unencrypted:
Senario:
Attacker hijacks session of user $X.
*If he cannot access a vunerability that allows him to view the session:*
He can only use the abstracted ids he can find in the source as they are unguessable.
*If he is able to view all the PHP Session data through serious vulnerability in site:*
He can see all of the abstracted ids that have been defined without hunting through the source. However, without the ability to modify the session data and "register" more ids he only use the ids already registered to user $X's session. Every other user is safe.
*If they can modify the session data encryption/obfustication is just about your only hope*
However it's still a good idea for just about any case if they have ANY access to the internals of your session.
If you have any more improvments I am very open to suggestion.
Thanks Dave,
Matt
P.S. Version 2.0 Coming soon: the encryption/decryption functions will be user specifiable.