About

FSO:Session is a database-backed encrypted session module. A session consists of 2 parts. Firstly, the client browser holds a cookie that contains the unique session ID and the session data encryption key, encrypted with a key that exists on the server. Secondly, a row in the database, referred to by the session ID in the cookie, contains the IP address and user-agent string for the client and the session data, encrypted with the key from the cookie.

Security

This setup attempts to prevent session hijacking and data theft in 3 ways. The first 2 ways are to do with knowledge required to successfully hijack a session - the cookie data cannot be read without the key from the server, and the server data cannot be read without the key from the cookie. This means that somebody trying to get useful information from the cookie requires access to the server's key, and somebody who has compromised the server cannot gain anything directly from the database because the data is encrypted with different keys, none of which are stored locally.

The final method of preventing session hijacking is that the IP address and user-agent of the client are compared to those stored in the database alongside the session data - if one of these does not match, then the session is deleted. This means that an attacker has at most one attempt to hijack a session, which makes success so unlikely as to be considered near-impossible.

FSO:Session is currently using the FSO:Encrypt module, which by default uses Rijndael-256 (a.k.a. AES-256) in Cipher Block Chaining (CBC) mode.

Usage

<?php
//  Load the module (database, encryption key, session length in seconds)
FSO::load_module('session', array($fso->db, 'x$%x$FDG~~@:}{{P<DFG{PFD<GDFDASDodsinfsdi~SDF', 7200);
//  Set a value
$fso->session->foo = 'bar'
//  Set a value the normal way
$_SESSION['foo'] = 'bar'
?>

Both of the above methods work due to the line

<?php
$_SESSION =& $this->data;
?>

in the Session class __init() function.