From 026d68fc2d0f24e4f2d46c5743a22f42053caa67 Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <fox@fakecake.org>
Date: Mon, 7 Apr 2025 20:08:17 +0300
Subject: add optional encryption for stored session data using Sodium library

---
 classes/Sessions.php | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

(limited to 'classes/Sessions.php')

diff --git a/classes/Sessions.php b/classes/Sessions.php
index 5c586154b..e8cba1765 100644
--- a/classes/Sessions.php
+++ b/classes/Sessions.php
@@ -58,7 +58,17 @@ class Sessions implements \SessionHandlerInterface {
 		$sth->execute([$id]);
 
 		if ($row = $sth->fetch()) {
-			return base64_decode($row['data']);
+			$data = base64_decode($row['data']);
+
+			if (Config::get(Config::SODIUM_ENCRYPTION_KEY)) {
+				$unserialized_data = unserialize($data);
+
+				if ($unserialized_data !== false)
+					return Config::decrypt_string($unserialized_data);
+			}
+
+			// if Sodium key is missing or session data is not in serialized format, return as-is
+			return $data;
 		}
 
 		$expire = time() + $this->session_expire;
@@ -69,7 +79,12 @@ class Sessions implements \SessionHandlerInterface {
 	}
 
 	public function write(string $id, string $data): bool {
+
+		if (Config::get(Config::SODIUM_ENCRYPTION_KEY))
+			$data = serialize(Config::encrypt_string($data));
+
 		$data = base64_encode($data);
+
 		$expire = time() + $this->session_expire;
 
 		$sth = Db::pdo()->prepare('SELECT id FROM ttrss_sessions WHERE id=?');
-- 
cgit v1.2.3-54-g00ecf