diff options
| author | Thomas Steur <tsteur@users.noreply.github.com> | 2020-01-20 21:52:24 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-01-20 21:52:24 +0300 |
| commit | 9af15986a92976ae5a179835ce5cd76b1da25fa6 (patch) | |
| tree | fefc2b2fe23c20612433f7e1358eeee2c05d7f44 | |
| parent | 59ce08cc1fc15d2e5fe1aa43534158a7ef5a2760 (diff) | |
Store session ID hashed in the DB (#15390)
| -rw-r--r-- | core/Session/SaveHandler/DbTable.php | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/core/Session/SaveHandler/DbTable.php b/core/Session/SaveHandler/DbTable.php index 87634acb5e..70b3beff48 100644 --- a/core/Session/SaveHandler/DbTable.php +++ b/core/Session/SaveHandler/DbTable.php @@ -13,6 +13,7 @@ use Piwik\Common; use Piwik\Db; use Piwik\DbHelper; use Exception; +use Piwik\SettingsPiwik; use Piwik\Updater\Migration; use Zend_Session; use Zend_Session_SaveHandler_Interface; @@ -27,6 +28,7 @@ class DbTable implements Zend_Session_SaveHandler_Interface protected $maxLifetime; const TABLE_NAME = 'session'; + const TOKEN_HASH_ALGO = 'sha512'; /** * @param array $config @@ -37,6 +39,13 @@ class DbTable implements Zend_Session_SaveHandler_Interface $this->maxLifetime = ini_get('session.gc_maxlifetime'); } + private function hashSessionId($id) + { + $salt = SettingsPiwik::getSalt(); + return hash(self::TOKEN_HASH_ALGO, $id . $salt); + } + + /** * Destructor * @@ -79,6 +88,7 @@ class DbTable implements Zend_Session_SaveHandler_Interface */ public function read($id) { + $id = $this->hashSessionId($id); $sql = 'SELECT ' . $this->config['dataColumn'] . ' FROM ' . $this->config['name'] . ' WHERE ' . $this->config['primary'] . ' = ?' . ' AND ' . $this->config['modifiedColumn'] . ' + ' . $this->config['lifetimeColumn'] . ' >= ?'; @@ -131,6 +141,8 @@ class DbTable implements Zend_Session_SaveHandler_Interface */ public function write($id, $data) { + $id = $this->hashSessionId($id); + $sql = 'INSERT INTO ' . $this->config['name'] . ' (' . $this->config['primary'] . ',' . $this->config['modifiedColumn'] . ',' @@ -156,6 +168,8 @@ class DbTable implements Zend_Session_SaveHandler_Interface */ public function destroy($id) { + $id = $this->hashSessionId($id); + $sql = 'DELETE FROM ' . $this->config['name'] . ' WHERE ' . $this->config['primary'] . ' = ?'; $this->query($sql, array($id)); |