Skip to content

Commit cb25ac5

Browse files
mingsong-huMingsong Hu
mingsong-hu
and
Mingsong Hu
authored
[#2105] Hash session ID in the database (#2106)
* [#2105] Hash session ID in the database * Update hash data function for SQLStore --------- Co-authored-by: Mingsong Hu <mingsonghu@osb-macpro-v2nq.lan>
1 parent 2855565 commit cb25ac5

File tree

1 file changed

+26
-1
lines changed

1 file changed

+26
-1
lines changed

src/SimpleSAML/Store/SQLStore.php

Lines changed: 26 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88
use PDO;
99
use PDOException;
1010
use SimpleSAML\Assert\Assert;
11-
use SimpleSAML\{Configuration, Logger};
11+
use SimpleSAML\{Configuration, Logger, Utils};
1212

1313
use function array_keys;
1414
use function count;
@@ -347,6 +347,10 @@ private function cleanKVStore(): void
347347
*/
348348
public function get(string $type, string $key): mixed
349349
{
350+
if ($type == 'session') {
351+
$key = $this->hashData($key);
352+
}
353+
350354
if (strlen($key) > 50) {
351355
$key = sha1($key);
352356
}
@@ -393,6 +397,10 @@ public function set(string $type, string $key, mixed $value, ?int $expire = null
393397
$this->cleanKVStore();
394398
}
395399

400+
if ($type == 'session') {
401+
$key = $this->hashData($key);
402+
}
403+
396404
if (strlen($key) > 50) {
397405
$key = sha1($key);
398406
}
@@ -423,6 +431,10 @@ public function set(string $type, string $key, mixed $value, ?int $expire = null
423431
*/
424432
public function delete(string $type, string $key): void
425433
{
434+
if ($type == 'session') {
435+
$key = $this->hashData($key);
436+
}
437+
426438
if (strlen($key) > 50) {
427439
$key = sha1($key);
428440
}
@@ -436,4 +448,17 @@ public function delete(string $type, string $key): void
436448
$query = $this->pdo->prepare($query);
437449
$query->execute($data);
438450
}
451+
452+
453+
/**
454+
* Calculates an URL-safe sha-256 hash.
455+
*
456+
* @param string $data
457+
* @return string The hashed data.
458+
*/
459+
private function hashData(string $data): string
460+
{
461+
$secretSalt = (new Utils\Config())->getSecretSalt();
462+
return hash_hmac('sha256', $data, $secretSalt);
463+
}
439464
}

0 commit comments

Comments
 (0)