From 4e58f91d72c7042fa2faff9292399072ce28c9ed Mon Sep 17 00:00:00 2001
From: Andrey Kutejko <andy128k@gmail.com>
Date: Sun, 7 Apr 2019 12:12:25 +0200
Subject: [PATCH] no globals in session

---
 ipf/crypto.php      | 45 ---------------------------------------------
 ipf/session/app.php | 27 +++++++++++++++++++++++----
 2 files changed, 23 insertions(+), 49 deletions(-)
 delete mode 100644 ipf/crypto.php

diff --git a/ipf/crypto.php b/ipf/crypto.php
deleted file mode 100644
index f4624b7..0000000
--- a/ipf/crypto.php
+++ /dev/null
@@ -1,45 +0,0 @@
-<?php
-
-class IPF_Crypto
-{
-    public static function encrypt($string)
-    {
-        $string = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, self::get_key(), $string, MCRYPT_MODE_CBC, self::get_iv());
-        $string = base64_encode($string);
-        return $string;
-    }
-
-    public static function decrypt($string)
-    {
-        $string = base64_decode($string);
-        $string = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, self::get_key(), $string, MCRYPT_MODE_CBC, self::get_iv());
-        $string = rtrim($string, "\0");
-        return $string;
-    }
-
-    public static function sign($string)
-    {
-        return hash_hmac('sha1', $string, self::get_key());
-    }
-
-    private static function get_key()
-    {
-        $secret = self::secretKey();
-        return sha1($secret.$secret);
-    }
-
-    private static function get_iv()
-    {
-        $secret = self::secretKey();
-        return sha1(sha1($secret));
-    }
-
-    private static function secretKey()
-    {
-        $secret_key = IPF::get('secret_key');
-        if ($secret_key)
-            return $secret_key;
-        else
-            throw new Exception('Security error: "secret_key" is not set in the configuration file.');
-    }
-}
diff --git a/ipf/session/app.php b/ipf/session/app.php
index 563d164..275b894 100644
--- a/ipf/session/app.php
+++ b/ipf/session/app.php
@@ -10,9 +10,14 @@ class IPF_Session_App extends IPF_Application
 
     public function configure(Container $container)
     {
+        $secret_key = $container['settings']->get('secret_key');
+        if (!$secret_key) {
+            throw new Exception('Security error: "secret_key" is not set in the configuration file.');
+        }
+
         $this->backends = [
-            new CookieSessionBackend(),
-            new DBSessionBackend($container, $container['settings']->get('secret_key')),
+            new CookieSessionBackend($secret_key),
+            new DBSessionBackend($container, $secret_key),
         ];
     }
 
@@ -78,13 +83,21 @@ interface SessionBackend
 
 class CookieSessionBackend implements SessionBackend
 {
+    /** @var string */
+    private $secret_key;
+
+    function __construct($secret_key)
+    {
+        $this->secret_key = $secret_key;
+    }
+
     public function getData($key)
     {
         $key = explode('|', $key, 2);
         if (count($key) !== 2)
             return null;
         list($data, $sign) = $key;
-        if (IPF_Crypto::sign($data) !== $sign)
+        if ($this->sign($data) !== $sign)
             return null;
 
         return unserialize(base64_decode($data));
@@ -93,13 +106,19 @@ class CookieSessionBackend implements SessionBackend
     public function save($key, $data)
     {
         $encoded = base64_encode(serialize($data));
-        return $encoded . '|' . IPF_Crypto::sign($encoded);
+        return $encoded . '|' . $this->sign($encoded);
     }
 
     public function delete($key)
     {
         // DO NOTHING
     }
+
+    private function sign($data)
+    {
+        $key = sha1($this->secret_key . $this->secret_key);
+        return hash_hmac('sha1', $data, $key);
+    }
 }
 
 class DBSessionBackend implements SessionBackend
-- 
2.49.0