remove session id on payload #301

moe-lk · Dec 2, 2020 · 59e3de5 · 59e3de5
1 parent 4a32b37
commit 59e3de5
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 15 deletions.
diff --git a/.htaccess b/.htaccess
@@ -4,4 +4,7 @@
     RewriteRule    ^$    webroot/    [L]
     RewriteRule    (.*) webroot/$1    [L]
 </IfModule>
+<IfModule mod_php7.c>
+    php_flag session.use_trans_sid off
+</IfModule>
 
diff --git a/plugins/ControllerAction/src/Model/Traits/SecurityTrait.php b/plugins/ControllerAction/src/Model/Traits/SecurityTrait.php
@@ -68,25 +68,11 @@ public function paramsDecode($params)
         $signature = $this->urlsafeB64Decode($signature);
 
         $payload = json_decode($payload, true);
-        $sessionId = Security::hash('session_id', 'sha256');
-        if (!isset($payload[$sessionId])) {
-            throw new SecurityException('No session id in payload');
-        } else {
-            $checkPayload = $payload;
-            $checkPayload[$sessionId] = session_id();
-            $checkSignature = Security::hash(json_encode($checkPayload), 'sha256', true);
-            if ($signature !== $checkSignature) {
-                throw new SecurityException('Query String has been tampered');
-            }
-        }
-        unset($payload[$sessionId]);
         return $payload;
     }
 
     public function paramsEncode($params = [])
     {
-        $sessionId = Security::hash('session_id', 'sha256');
-        $params[$sessionId] = session_id();
         $jsonParam = json_encode($params);
         $base64Param = $this->urlsafeB64Encode($jsonParam);
         $signature = Security::hash($jsonParam, 'sha256', true);

diff --git a/webroot/.htaccess b/webroot/.htaccess
@@ -4,4 +4,6 @@
     RewriteCond %{REQUEST_URI} !=/server-status	
     RewriteRule ^ index.php [L]
 </IfModule>
-
+<IfModule mod_php7.c>
+    php_flag session.use_trans_sid off
+</IfModule>