Create an insecure bank application

webroot/lib/Model/Session.php

@@ -0,0 +1,59 @@
+<?php
+declare(strict_types=1);
+
+namespace Model;
+
+use Controller\Sql;
+
+class Session
+{
+    public ?string $tokenHash = null;
+    public ?string $newSessid = null;
+    public ?User $user = null;
+
+    public static function create(User $user): Session
+    {
+        $sessid = bin2hex(random_bytes(32));
+        $sessidHash = hash('sha256', $sessid);
+
+        $sql = Sql::connection();
+        $stmt = $sql->prepare('INSERT INTO session (token, user) VALUES (UNHEX(?), ?)');
+        $stmt->execute([$sessidHash, $user->id]);
+
+        $session = new self();
+        $session->newSessid = $sessid;
+        $session->user = $user;
+        return $session;
+    }
+
+    public static function load(): ?self
+    {
+        if (!isset($_COOKIE['sessid'])) {
+            return null;
+        }
+        $sessidHash = hash('sha256', $_COOKIE['sessid']);
+
+        $sql = Sql::connection();
+        $stmt = $sql->prepare(
+            'SELECT user.id, user.name, user.admin FROM session
+            JOIN user ON session.user = user.id
+            WHERE token = UNHEX(?)'
+        );
+        $stmt->execute([$sessidHash]);
+        if ($row = $stmt->fetch(\PDO::FETCH_ASSOC)) {
+            $session = new Session();
+            $session->tokenHash = $sessidHash;
+            $session->user = new User($row['id'], $row['name'], null, (bool) $row['admin']);
+            return $session;
+        }
+
+        return null;
+    }
+
+    public function destroy(): void
+    {
+        $sql = Sql::connection();
+        $stmt = $sql->prepare('DELETE FROM session WHERE token = UNHEX(?)');
+        $stmt->execute([$this->tokenHash]);
+    }
+}