Merge branch 'session-encryption' into 'master'

add optional encryption for stored session data using Sodium library

See merge request tt-rss/tt-rss!117

1 files changed, 16 insertions, 1 deletions

diff --git a/classes/Sessions.php b/classes/Sessions.php
index 5c586154b..f3c0cea42 100644
--- a/classes/Sessions.php
+++ b/classes/Sessions.php
@@ -58,7 +58,17 @@ class Sessions implements \SessionHandlerInterface {
 		$sth->execute([$id]);
 
 		if ($row = $sth->fetch()) {
-			return base64_decode($row['data']);
+			$data = base64_decode($row['data']);
+
+			if (Config::get(Config::ENCRYPTION_KEY)) {
+				$unserialized_data = @unserialize($data); // avoid leaking plaintext session via error message
+
+				if ($unserialized_data !== false)
+					return Crypt::decrypt_string($unserialized_data);
+			}
+
+			// if encryption key is missing or session data is not in serialized format, assume plaintext data and return as-is
+			return $data;
 		}
 
 		$expire = time() + $this->session_expire;
@@ -69,7 +79,12 @@ class Sessions implements \SessionHandlerInterface {
 	}
 
 	public function write(string $id, string $data): bool {
+
+		if (Config::get(Config::ENCRYPTION_KEY))
+			$data = serialize(Crypt::encrypt_string($data));
+
 		$data = base64_encode($data);
+
 		$expire = time() + $this->session_expire;
 
 		$sth = Db::pdo()->prepare('SELECT id FROM ttrss_sessions WHERE id=?');