diff options
| author | Andrii Cherytsya <poratuk@gmail.com> | 2016-09-23 18:38:55 +0300 |
|---|---|---|
| committer | Andrii Cherytsya <poratuk@gmail.com> | 2016-09-23 18:38:55 +0300 |
| commit | 842b6b85f5e4f7bed8863af3519eda6252d2266c (patch) | |
| tree | d24ac04228bc809217bb0eaade5eac800850f945 | |
| parent | b86cfd5a845c4b4cfeab7856f91ee229eee0eb90 (diff) | |
| download | sso-842b6b85f5e4f7bed8863af3519eda6252d2266c.zip sso-842b6b85f5e4f7bed8863af3519eda6252d2266c.tar.gz sso-842b6b85f5e4f7bed8863af3519eda6252d2266c.tar.bz2 | |
Moved SessionID from query param to the request headers.
| -rw-r--r-- | src/Broker.php | 4 | ||||
| -rw-r--r-- | src/Server.php | 29 |
2 files changed, 25 insertions, 8 deletions
diff --git a/src/Broker.php b/src/Broker.php index 5ae9a26..2d91f98 100644 --- a/src/Broker.php +++ b/src/Broker.php @@ -169,8 +169,6 @@ class Broker protected function getRequestUrl($command, $params = []) { $params['command'] = $command; - $params['sso_session'] = $this->getSessionId(); - return $this->url . '?' . http_build_query($params); } @@ -192,7 +190,7 @@ class Broker $ch = curl_init($url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method); - curl_setopt($ch, CURLOPT_HTTPHEADER, ['Accept: application/json']); + curl_setopt($ch, CURLOPT_HTTPHEADER, ['Accept: application/json', 'Authorization:'. $this->getSessionID()]); if ($method === 'POST' && !empty($data)) { $post = is_string($data) ? $data : http_build_query($data); diff --git a/src/Server.php b/src/Server.php index 8d1ecd4..f91e52f 100644 --- a/src/Server.php +++ b/src/Server.php @@ -68,12 +68,12 @@ abstract class Server { if (isset($this->brokerId)) return; - if (!isset($_GET['sso_session'])) { + $sid = $this->getBrokerSessionID(); + + if ($sid == FALSE) { return $this->fail("Broker didn't send a session key", 400); } - - $sid = $_GET['sso_session']; - + $linkedId = $this->cache->get($sid); if (!$linkedId) { @@ -90,6 +90,25 @@ abstract class Server $this->brokerId = $this->validateBrokerSessionId($sid); } + + /** + * Get session ID from header Authorization or from $_GET/$_POST + */ + protected function getBrokerSessionID(){ + $headers = getallheaders(); + + if (isset($headers['Authorization'])){ + return $headers['Authorization']; + } + if (isset($_GET['sso_session'])) { + return $_GET['sso_session']; + } + if (isset($_POST['sso_session'])) { + return $_POST['sso_session']; + } + + return FALSE; + } /** * Validate the broker session id @@ -101,7 +120,7 @@ abstract class Server { $matches = null; - if (!preg_match('/^SSO-(\w*+)-(\w*+)-([a-z0-9]*+)$/', $_GET['sso_session'], $matches)) { + if (!preg_match('/^SSO-(\w*+)-(\w*+)-([a-z0-9]*+)$/', $this->getBrokerSessionID(), $matches)) { return $this->fail("Invalid session id"); } |