Encrypted Sessions in XAMPP

[katie1348]

I have just updated my old Codeigniter 2.x installation to 3.0.

My development system runs under XAMPP and this too has been updated to the latest 1.8.3, for PHP 5.5.15.

This is fine, it all works nicely so there is no problem.

As I move through switching things on with the existing project, I find that there is a problem using Encryption with the Session cookie class.

By default the system uses AES-128 with CBC. Fine, except that XAMPP does not have AES-128!

The available ciphers are: cast-128 gost rijndael-128 twofish cast-256 loki97 rijndael-192 saferplus wake blowfish-compat des rijndael-256 serpent xtea blowfish enigma rc2 tripledes arcfour

As per my phpinfo().

So, I need to change the cipher used. Not a problem you say, just ....

Which is possible of course, but I have added and am proposing that we add in some additional config paramenters, so that it can be easily controlled from the static config file.

/*
|--------------------------------------------------------------------------
| Encryption Key
|--------------------------------------------------------------------------
|
| If you use the Encryption class or the Session class you
| MUST set an encryption key.  See the user guide for info.
|
| http://codeigniter.com/user_guide/libraries/encryption.html
| http://codeigniter.com/user_guide/libraries/sessions.html
|
*/
$config['encryption_key']       = 'key';
$config['encryption_cipher']    = 'aes-128';
$config['encryption_mode']      = 'cbc';

That takes care of the default values, which are the same as current.

Then add these few lines into the __constructor

        if (self::strlen($cipher = config_item('encryption_cipher')) > 0)
        {
            $this->_cipher = $cipher;
        }

        if (self::strlen($mode = config_item('encryption_mode')) > 0)
        {
            $this->_mode = $mode;
        }

to give

    public function __construct(array $params = array())
    {
        $this->_drivers = array(
            'mcrypt' => defined('MCRYPT_DEV_URANDOM'),
            // While OpenSSL is available for PHP 5.3.0, an IV parameter
            // for the encrypt/decrypt functions is only available since 5.3.3
            'openssl' => (is_php('5.3.3') && extension_loaded('openssl'))
        );

        if ( ! $this->_drivers['mcrypt'] && ! $this->_drivers['openssl'])
        {
            return show_error('Encryption: Unable to find an available encryption driver.');
        }

        if (self::strlen($cipher = config_item('encryption_cipher')) > 0)
        {
            $this->_cipher = $cipher;
        }

        if (self::strlen($mode = config_item('encryption_mode')) > 0)
        {
            $this->_mode = $mode;
        }

        isset(self::$func_override) OR self::$func_override = (extension_loaded('mbstring') && ini_get('mbstring.func_override'));
        $this->initialize($params);

        if ( ! isset($this->_key) && self::strlen($key = config_item('encryption_key')) > 0)
        {
            $this->_key = substr($key, 0, 32);
        }

        log_message('debug', 'Encryption Class Initialized');
    }

$config['encryption_cipher']    = 'rijndael-128';
$config['encryption_mode']      = 'cbc';

A mcrypt cipher is now supported and all is well with the world.

This might not be the best way to do it, but it seems to work nicely.

Any additional guidance, as to the best way to change this would be appreciated if this is the wrong way.

Thanks

[narfbg]

There's no such issue, if you tell CI_Encryption to use 'aes-128' it will automatically translate it to 'rijndael-128'.

[katie1348]

How do you do that?

[narfbg]

How do I do what?

[katie1348]

How do I use a different encryption method?

If I do nothing, the system fails to initialize.

[katie1348]

I am obviously not making my problem clear.

In XAMPP 1.8.3, there is no AES-128. Using Session encryption causes CI to generate an error during the Encryption class initialization and session cookies do not work, there are errors in the log file.

[narfbg]

Well, could you show the error messages then?

[katie1348]

This is what I was getting in the error logs:

ERROR - 2014-11-07 12:45:38 --> Severity: Warning --> mcrypt_module_open(): Could not open encryption module D:\Apps\xampp\htdocs\site\system\libraries\Encryption.php 278
ERROR - 2014-11-07 12:45:38 --> Encryption: Unable to initialize MCrypt with cipher AES-128 in CBC mode.

As shown in the original post, AES is not supported at all.

[narfbg]

Line 278 is an empty one ...

[katie1348]

In my file, 278 is the following:

if ($this->_handle = mcrypt_module_open($this->_cipher, '', $this->_mode, ''))

[narfbg]

See the above commit for the fix and don't modify files under system/ in the future. :)

[narfbg]

Also, the session lib is being replaced: #3073

[katie1348]

Thank you for finding and squashing that bug.

I have tested it on my end and it now does as you suggested, uses the substitute cipher.

Much appreciated.

Yes, I have been following the discussion into the new Session library.

[venki1911]

hi,
i am using CI-3.0 after loading my in localhost, i am getting "unable to find available encryption driver". can you tell how to resolve this issue.