I read a bit on how to secure a session and what I decided to do was to save the session_id to the database, and then save it to a session variable after it has been encrypted.
Here is the class that I used for the encryption (it was writen by Orielly books author):
Encrypted class using session_set_save_handler
The I apply it this way:
ini_set('session.use_only_cookies',true);
//calls the session class.
require_once(dirname(__file__)."/../../Administrator/secure_session.php");
session_start();
if( !isset($_SESSION['mod']) )
{
Moderator::insert_moderator($name,session_id());
$_SESSION['mod']= session_id();
$_SESSION['time']=time();
echo "<br/>Moderator session: ".$_SESSION['mod'];
}
This is the exception which is being thrown:
Fatal error: Uncaught exception ‘Exception’ with message ‘I cannot generate a secure pseudo-random key. Please use PHP >= 5.3 or Mcrypt extension’ in C:\xampp\htdocs\PoliticalForum\Administrator\secure_session.php:74 Stack trace: #0 C:\xampp\htdocs\PoliticalForum\Administrator\secure_session.php(107): SecureSession->_randomKey(32) #1 [internal function]: SecureSession->open(‘C:\xampp\htdocs…’, ‘PHPSESSID’) #2 C:\xampp\htdocs\PoliticalForum\StoredProcedure\User\headerSite.php(43): session_start() #3 C:\xampp\htdocs\PoliticalForum\mainHome.php(14): include_once(‘C:\xampp\htdocs…’) #4 {main} thrown in C:\xampp\htdocs\PoliticalForum\Administrator\secure_session.php on line 74
What am I doing wrong, how can I fix this, cause I dont understand much of encryption!
The exception is because you’re probably using PHP < 5.3 or you didn’t include the mcrypt extension in your php.ini
In your error log says line 74 of the class, if you look at it:
that means that MCRYPT_DEV_URANDOM is not defined, and if you look in php.net you’ll see that it was introduced in PHP >= 5.3 on Widnows platforms
To update you PHP download the latest stable version from here or here (Windows)