Moved SessionID from query param to the request headers. #53
Conversation
|
|
| @@ -192,7 +190,7 @@ protected function request($method, $command, $data = null) | |||
| $ch = curl_init($url); | |||
| curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); | |||
| curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method); | |||
| curl_setopt($ch, CURLOPT_HTTPHEADER, ['Accept: application/json']); | |||
| curl_setopt($ch, CURLOPT_HTTPHEADER, ['Accept: application/json', 'Authorization:'. $this->getSessionID()]); | |||
There was a problem hiding this comment.
Please use 'Authorization: Bearer ' . $this->getSessionId(). See this answer to know why.
| @@ -68,12 +68,12 @@ public function startBrokerSession() | |||
| { | |||
| if (isset($this->brokerId)) return; | |||
|
|
|||
| if (!isset($_GET['sso_session'])) { | |||
| $sid = $this->getBrokerSessionID(); | |||
There was a problem hiding this comment.
Please adhere to PSR2 and use 4 spaces, not tabs.
| if (!isset($_GET['sso_session'])) { | ||
| $sid = $this->getBrokerSessionID(); | ||
|
|
||
| if ($sid == FALSE) { |
There was a problem hiding this comment.
Please adhere to PSR2 and use false, not FALSE.
| * Get session ID from header Authorization or from $_GET/$_POST | ||
| */ | ||
| protected function getBrokerSessionID(){ | ||
| $headers = getallheaders(); |
There was a problem hiding this comment.
Please adhere to PSR2 and use 4 spaces, not tabs.
| return $_POST['sso_session']; | ||
| } | ||
|
|
||
| return FALSE; |
There was a problem hiding this comment.
Please adhere to PSR2 and use false, not FALSE.
| if (isset($_GET['sso_session'])) { | ||
| return $_GET['sso_session']; | ||
| } | ||
| if (isset($_POST['sso_session'])) { |
There was a problem hiding this comment.
Please follow RFC 6750 and accept $_GET['access_token'] or $_POST['access_token']. Also accept $_GET['sso_session'] for backwards compatibility.
| $headers = getallheaders(); | ||
|
|
||
| if (isset($headers['Authorization'])){ | ||
| if (strpos($headers['Authorization'], 'Bearer') === 0){ |
There was a problem hiding this comment.
Do not accept Authorization if it doesn't start with Bearer (mind the space). You can use 1 if.
Site note: Please put a space between ){.
| if (isset($_GET['sso_session'])) { | ||
| return $_GET['sso_session']; | ||
| } | ||
| if (isset($_POST['sso_session'])) { |
There was a problem hiding this comment.
Do not accept $_POST['sso_session'], only $_GET['sso_session']
| $sid = $this->getBrokerSessionID(); | ||
|
|
||
| if ($sid == FALSE) { | ||
| $sid = $this->getBrokerSessionID(); |
No description provided.