0, 'path' => '/', 'secure' => isset($_SERVER['HTTPS']), 'httponly' => true, 'samesite' => 'Lax', ]); session_start(); } } public static function regenerate(): void { if (session_status() === PHP_SESSION_ACTIVE) { session_regenerate_id(true); } } public static function set(string $key, mixed $value): void { $_SESSION[$key] = $value; } public static function get(string $key, mixed $default = null): mixed { return $_SESSION[$key] ?? $default; } public static function remove(string $key): void { unset($_SESSION[$key]); } public static function destroy(): void { if (session_status() === PHP_SESSION_ACTIVE) { $_SESSION = []; if (ini_get("session.use_cookies")) { $params = session_get_cookie_params(); setcookie( session_name(), '', time() - 42000, $params["path"], $params["domain"], $params["secure"], $params["httponly"] ); } session_destroy(); } } public static function csrfToken(): string { self::start(); if (!isset($_SESSION['_csrf_token'])) { $_SESSION['_csrf_token'] = bin2hex(random_bytes(32)); } return $_SESSION['_csrf_token']; } public static function validateCsrf(?string $token): bool { self::start(); if (!isset($_SESSION['_csrf_token']) || !$token) { return false; } $valid = hash_equals($_SESSION['_csrf_token'], $token); if ($valid) { // Optional: Token nach Benutzung rotieren unset($_SESSION['_csrf_token']); } return $valid; } }