Add a session wrapper to encrypt sessiondata

db_structure.xml

@@ -1112,6 +1112,36 @@
 
 	</table>
 
+	<table>
+		<!--
+		Stores the used sessions to reduce the risks of session collisions
+		-->
+		<name>*dbprefix*sessions</name>
+		<declaration>
+			<field>
+				<name>hashed_id</name>
+				<type>string</type>
+				<length>128</length>
+			</field>
+			<field>
+				<name>last_used</name>
+				<type>integer</type>
+				<default></default>
+				<notnull>false</notnull>
+			</field>
+
+			<index>
+				<primary>true</primary>
+				<unique>true</unique>
+				<name>hashed_id_index</name>
+				<field>
+					<name>hashed_id</name>
+					<sorting>ascending</sorting>
+				</field>
+			</index>
+		</declaration>
+	</table>
+
 	<table>
 
 		<!--

lib/base.php

@@ -431,6 +431,29 @@ public static function initTemplateEngine() {
 	}
 
 	public static function initSession() {
+		// Try to set the session lifetime
+		$sessionLifeTime = self::getSessionLifeTime();
+		@ini_set('session.gc_maxlifetime', (int)$sessionLifeTime);
+
+		/**
+		 * Use a custom session handler to store the data encrypted within the
+		 * session this is only possible after the instance has been installed
+		 * and since this may also happen after an update case we need to verify
+		 * the version as well.
+		 */
+		if(self::$server->getConfig()->getSystemValue('installed', false)
+			&& version_compare(self::$server->getConfig()->getSystemValue('version', 0), '8.2.0.2', 'gt')) {
+			$handler = new \OC\Session\CryptoSessionHandler(
+				self::$server->getCrypto(),
+				self::$server->getSecureRandom(),
+				self::$server->getDatabaseConnection(),
+				self::$server->getConfig(),
+				self::$server->getTimeFactory(),
+				self::$server->getLogger()
+			);
+			session_set_save_handler($handler, true);
+		}
+
 		// prevents javascript from accessing php session cookies
 		ini_set('session.cookie_httponly', true);
 
@@ -634,9 +657,6 @@ public static function init() {
 				\OC::$server->getConfig()->deleteAppValue('core', 'cronErrors');
 			}
 		}
-		//try to set the session lifetime
-		$sessionLifeTime = self::getSessionLifeTime();
-		@ini_set('gc_maxlifetime', (string)$sessionLifeTime);
 
 		$systemConfig = \OC::$server->getSystemConfig();
 

lib/private/server.php

@@ -40,6 +40,7 @@
 use OC\AppFramework\Http\Request;
 use OC\AppFramework\Db\Db;
 use OC\AppFramework\Utility\SimpleContainer;
+use OC\AppFramework\Utility\TimeFactory;
 use OC\Command\AsyncBus;
 use OC\Diagnostics\EventLogger;
 use OC\Diagnostics\NullEventLogger;
@@ -157,7 +158,10 @@ public function __construct($webRoot) {
 		});
 		$this->registerService('UserSession', function (Server $c) {
 			$manager = $c->getUserManager();
-			$userSession = new \OC\User\Session($manager, new \OC\Session\Memory(''));
+
+			$session = new \OC\Session\Memory('');
+
+			$userSession = new \OC\User\Session($manager, $session);
 			$userSession->listen('\OC\User', 'preCreateUser', function ($uid, $password) {
 				\OC_Hook::emit('OC_User', 'pre_createUser', array('run' => true, 'uid' => $uid, 'password' => $password));
 			});
@@ -358,6 +362,9 @@ public function __construct($webRoot) {
 				$c->getL10N('lib', $language)
 			);
 		});
+		$this->registerService('TimeFactory', function() {
+			return new TimeFactory();
+		});
 		$this->registerService('MountConfigManager', function () {
 			$loader = \OC\Files\Filesystem::getLoader();
 			return new \OC\Files\Config\MountProviderCollection($loader);
@@ -611,6 +618,13 @@ public function getConfig() {
 		return $this->query('AllConfig');
 	}
 
+	/**
+	 * @return \OCP\AppFramework\Utility\ITimeFactory
+	 */
+	public function getTimeFactory() {
+		return $this->query('TimeFactory');
+	}
+
 	/**
 	 * For internal use only
 	 *