Only reset session for non-ajax API requests ushahidi#791

* Avoids log out issues when grabbing things via ajax (ie. checkins) * But prevents CSRF by resetting the session. * Stil vulnerable with XSS but they could grab the CSRF token anyway.
rjmackay · Apr 2, 2013 · 43bfb9d · 43bfb9d
1 parent 7eb211f
commit 43bfb9d
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 5 deletions.
diff --git a/application/controllers/api.php b/application/controllers/api.php
@@ -27,6 +27,19 @@ public function index()
 		// Disables CSRF validation for API requests
 		Validation::$is_api_request = TRUE;
 
+		// Reset session for API requests - since they don't get CSRF checked
+		// AJAX requests are ok - they skip CSRF anyway.
+		if (! request::is_ajax())
+		{
+			// Reset the session - API should be stateless
+			$_SESSION = array();
+			// Especially reset auth
+			Session::instance()->set(Kohana::config('auth.session_key'), null);
+
+			// Re-authenticate
+			$this->auth->http_auth_login();
+		}
+
 		// Instantiate the API service
 		$api_service = new Api_Service();
 

diff --git a/application/libraries/Api_Service.php b/application/libraries/Api_Service.php
@@ -88,11 +88,6 @@ public function __construct()
 			? $_POST
 			: $_GET;
 
-		// Reset the session - API should be stateless
-		$_SESSION = array();
-		// Especially reset auth
-		Session::instance()->set(Kohana::config('auth.session_key'), null);
-
 		// Load the API configuration file
 		Kohana::config_load('api');