Decrypting and Reading Suhosin Session Data

Question

I just noticed that my host started using Suhosin Hardening, i'm not quite familiar with this and am having major issues with my application, mainly in sessions.

The session is nowing being stored in the following format:

_EzyqHpPJqmQbSpRmXAJTxuFq980aNQlc3XAiRkWxlZQ9B0fnV...

I don't mind that but its also breaking my application, i need a way to decode the encryption because its not letting me login to my app because of this.

I have a function to unserialize the session data, not sure where i picked up but here it is:

public function unserialize_session_data($data)
{
    $variables = array();

    $a = preg_split( "/(\w+)\|/", $serialized_string, -1, PREG_SPLIT_NO_EMPTY | PREG_SPLIT_DELIM_CAPTURE );

    for( $i = 0; $i < count( $a ); $i = $i+2 )
    {
        $variables[$a[$i]] = unserialize( $a[$i+1] );
    }

    return($variables);
}

It's giving offset errors with that function, because the session data is not in the format it is expecting and thats why i was wondering if anyone knows of a method to decrypt / decode the above ugly suhosin data to present it in its original format?

-- EDIT --

Posting the function which uses the above unserialize function

 /***********************************************************************
 #  Get Session Data of a certain session id
 #  --------------------------------------
 #  This function will retrieve all session information related to a certain session id from
 #  the database, after that it unserializes the data and returns an array of data.
 #
 #  @return array  (Containing Session Data)
 ***********************************************************************/
    public function get_session_data($session_id)
    {
        if (isset($session_id) && $session_id != "")
        {
            $sql = mysql_query("SELECT ses_value FROM sessions WHERE (ses_id = '$session_id');") or die ("MySQL Error : <b>" . mysql_error() . "</b><br />");

            if (mysql_num_rows($sql) > 0)
            {
                $res = mysql_fetch_assoc($sql);
                $res = $this->unserialize_session_data($res['ses_value']);
                        return $res;
            }
        }
    }

Thanks in advance!

Answer 1

I thought Suhosin's decryption and encryption was transparent?

Parameter       Description
Encrypt         Turns on the transparent encryption

Anyway, the way the encryption key is generated is:

cryptkey + user agent + document root + IP octets

So:

12345Mozilla/5.0 (X11; Linux x86_64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2/var/www127.0.0.1

The variables are concatenated without a separator. If for some reason the cryptkey string is NULL then Suhosin will default to a value of “D3F4UL7”.
Once built the string is hashed using SHA256 and the result used to generate a 256bit rijndael encryption key.

Answer 2

If you need to recover data thats been stored within the Session you could use the tool avaliable here:

http://www.idontplaydarts.com/2011/11/decrypting-suhosin-sessions-and-cookies/

There is no native way to decrypt Suhosin data within PHP - the simplest way is to just turn the encryption off using session.encrypt = 0 within the php.ini file.

Answer 3

Can you just use ini_set() to turn off the encryption it's using?

• suhosin.session.encrypt

You'll need to specify the exact key that you want to be used for encrypting session data (which the page indicates is possible to do through ini_set()) in order to decrypt it. That done, decrypting it should become possible with the key (I'm not sure what encryption system it is using).