diff --git a/.htaccess b/.htaccess
index 3624246b..d79ff15c 100755
--- a/.htaccess
+++ b/.htaccess
@@ -4,4 +4,7 @@
RewriteRule ^$ webroot/ [L]
RewriteRule (.*) webroot/$1 [L]
+
+ php_flag session.use_trans_sid off
+
diff --git a/config/app.php b/config/app.php
index c04a0e1b..fd6b253e 100755
--- a/config/app.php
+++ b/config/app.php
@@ -336,7 +336,13 @@
* To use database sessions, load the SQL file located at config/Schema/sessions.sql
*/
'Session' => [
- 'defaults' => 'php',
+ 'defaults' => 'cake',
+ 'timeout' => 30,
+ 'cookieTimeout' => 30,
+ 'ini' => array(
+ 'session.cookie_secure' => true,
+ 'session.cookie_httponly' => true
+ )
// 'defaults' => 'cache',
],
'debug' => true
diff --git a/config/routes.php b/config/routes.php
index 42e55829..0744cb7e 100755
--- a/config/routes.php
+++ b/config/routes.php
@@ -67,8 +67,6 @@
*/
$routes->connect('/pages/*', ['controller' => 'Pages', 'action' => 'display']);
-
-
/**
* Connect catchall routes for all controllers.
*
@@ -203,16 +201,16 @@
});
// For restful session
-Router::scope('/session', ['plugin' => 'Restful'], function ($routes) {
- $routes->scope('/', ['controller' => 'Session'], function ($routes) {
- $routes->extensions(['json']);
-
- $routes->connect('/:key', ['action' => 'check', '_method' => 'CHECK'], ['pass' => ['key']]);
- $routes->connect('/:key', ['action' => 'read', '_method' => 'GET'], ['pass' => ['key']]);
- $routes->connect('/', ['action' => 'write', '_method' => 'POST']);
- $routes->connect('/:key', ['action' => 'delete', '_method' => 'DELETE'], ['pass' => ['key']]);
- });
-});
+// Router::scope('/session', ['plugin' => 'Restful'], function ($routes) {
+// $routes->scope('/', ['controller' => 'Session'], function ($routes) {
+// $routes->extensions(['json']);
+
+// $routes->connect('/:key', ['action' => 'check', '_method' => 'CHECK'], ['pass' => ['key']]);
+// $routes->connect('/:key', ['action' => 'read', '_method' => 'GET'], ['pass' => ['key']]);
+// $routes->connect('/', ['action' => 'write', '_method' => 'POST']);
+// $routes->connect('/:key', ['action' => 'delete', '_method' => 'DELETE'], ['pass' => ['key']]);
+// });
+// });
/**
* Load all plugin routes. See the Plugin documentation on
diff --git a/plugins/ControllerAction/src/Model/Traits/SecurityTrait.php b/plugins/ControllerAction/src/Model/Traits/SecurityTrait.php
index 26d27af5..2d949695 100755
--- a/plugins/ControllerAction/src/Model/Traits/SecurityTrait.php
+++ b/plugins/ControllerAction/src/Model/Traits/SecurityTrait.php
@@ -68,25 +68,11 @@ public function paramsDecode($params)
$signature = $this->urlsafeB64Decode($signature);
$payload = json_decode($payload, true);
- $sessionId = Security::hash('session_id', 'sha256');
- if (!isset($payload[$sessionId])) {
- throw new SecurityException('No session id in payload');
- } else {
- $checkPayload = $payload;
- $checkPayload[$sessionId] = session_id();
- $checkSignature = Security::hash(json_encode($checkPayload), 'sha256', true);
- if ($signature !== $checkSignature) {
- throw new SecurityException('Query String has been tampered');
- }
- }
- unset($payload[$sessionId]);
return $payload;
}
public function paramsEncode($params = [])
{
- $sessionId = Security::hash('session_id', 'sha256');
- $params[$sessionId] = session_id();
$jsonParam = json_encode($params);
$base64Param = $this->urlsafeB64Encode($jsonParam);
$signature = Security::hash($jsonParam, 'sha256', true);
diff --git a/webroot/.htaccess b/webroot/.htaccess
index d8b9a05e..a96b930a 100755
--- a/webroot/.htaccess
+++ b/webroot/.htaccess
@@ -4,4 +4,6 @@
RewriteCond %{REQUEST_URI} !=/server-status
RewriteRule ^ index.php [L]
-
+
+ php_flag session.use_trans_sid off
+