I have to submit the User Session ID through an Post Request (using Flash Uploader).
Project is based on Zend Framework.
Now iam not sure if my implementation is “safe”:
View
var session = "<?= Anon_SimpleCrypt::encrypt(Zend_Session::getId(), 'SOME_KEY'?>";
Controller:
$sessionId = $_POST['SESSION_ID'];
$sessionId = Anon_SimpleCrypt::decrypt($sessionId, 'SOME_KEY');
Zend_Session::setId($sessionId);
Encryption/Decryption:
public static function encrypt($value, $encryptionKey)
{
$result = '';
$encryptionKey = $encryptionKey . self::getSalt($value);
for ($count = 0; $count < strlen($value); $count++) {
$char = substr($value, $count, 1);
$keychar = substr($encryptionKey, ($count % strlen($encryptionKey)) - 1, 1);
$char = chr(ord($char) + ord($keychar));
$result.=$char;
}
return base64_encode($result);
}
public static function decrypt($value, $encryptionKey)
{
$result = '';
$value = base64_decode($value);
$encryptionKey = $encryptionKey . self::getSalt($value);
for ($i = 0; $i < strlen($value); $i++) {
$char = substr($value, $i, 1);
$keychar = substr($encryptionKey, ($i % strlen($encryptionKey)) - 1, 1);
$char = chr(ord($char) - ord($keychar));
$result.=$char;
}
return $result;
}
You do not need to encrypt the session id. Just send it in plain text. The session id is usually stored unencrypted in a cookie on the client, and this is no different. Besides, if someone get the encrypted session id they will still be able to use the session because you decrypt it on the server anyway.