Fix cookie after close, issue #27

ezimuel · Mar 30, 2017 · 6ddb28c · 6ddb28c
1 parent 6635d71
commit 6ddb28c
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 2 deletions.
diff --git a/src/SecureHandler.php b/src/SecureHandler.php
@@ -143,11 +143,12 @@ protected function decrypt($data, $key)
     protected function getKey($name)
     {
         if (empty($_COOKIE[$name])) {
-            $key = random_bytes(64); // 32 for encryption and 32 for authentication
+            $key         = random_bytes(64); // 32 for encryption and 32 for authentication
             $cookieParam = session_get_cookie_params();
+            $encKey      = base64_encode($key);
             setcookie(
                 $name,
-                base64_encode($key),
+                $encKey,
                 // if session cookie lifetime > 0 then add to current time
                 // otherwise leave it as zero, honoring zero's special meaning
                 // expire at browser close.
@@ -157,6 +158,7 @@ protected function getKey($name)
                 $cookieParam['secure'],
                 $cookieParam['httponly']
             );
+            $_COOKIE[$name] = $encKey;
         } else {
             $key = base64_decode($_COOKIE[$name]);
         }

diff --git a/test/SecureSessionTest.php b/test/SecureSessionTest.php
@@ -43,4 +43,28 @@ public function testWriteRead()
         $this->assertTrue($this->secureHandler->write($id, $data));
         $this->assertEquals($data, $this->secureHandler->read($id));
     }
+
+    /**
+     * Test for issue #27
+     * @see https://github.com/ezimuel/PHP-Secure-Session/issues/27
+     *
+     * @runInSeparateProcess
+     */
+    public function testDoubleOpen()
+    {
+        $this->assertTrue($this->secureHandler->open(sys_get_temp_dir(), ''));
+        $id1 = session_id();
+
+        $handler = new ReflectionObject($this->secureHandler);
+        $key = $handler->getProperty('key');
+        $key->setAccessible(true);
+        $key1 = $key->getValue($this->secureHandler);
+
+        $this->assertTrue($this->secureHandler->open(sys_get_temp_dir(), ''));
+        $id2 = session_id();
+        $key2 = $key->getValue($this->secureHandler);
+
+        $this->assertEquals($id1, $id2);
+        $this->assertEquals($key1, $key2);
+    }
 }
diff --git a/test/demo/index.php b/test/demo/index.php
@@ -5,6 +5,8 @@
  * @author    Enrico Zimuel (enrico@zimuel.it)
  * @copyright MIT License
  */
+$start = microtime(true);
+
 ini_set('session.save_handler', 'files');
 
 $autoload = __DIR__ . '/../../vendor/autoload.php';
@@ -25,9 +27,13 @@
 
 $filename = sys_get_temp_dir() . DIRECTORY_SEPARATOR . 'sess_' . session_id();
 
+$time = microtime(true) - $start;
+
 echo "<h1>PHP-Secure-Session Demo</h1>";
 echo "<p>Session created at <strong>" . date("G:i:s ", $_SESSION['time']) . "</strong></p>";
 echo "<p>Session file: <strong>" . $filename . "</strong></p>";
 echo "<p>Content:<br><pre>" . session_encode() . "</pre></p>";
 echo "<p>Encrypted content in Base64:<br><pre>" . base64_encode(file_get_contents($filename)). "</pre></p>";
 echo "<p><strong>Note:</strong> If you reload the page you will see the encrypted data changing</p>";
+
+printf("Execution time: %.6f", $time * 1000);