[Koha-bugs] [Bug 32369] Two factor authentication can be bypassed if catalog and staff interface URL aren't properly configured

[bugzilla-daemon at bugs.koha-community.org]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32369

Marcel de Rooy <m.de.rooy at rijksmuseum.nl> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |WONTFIX
             Status|NEW                         |RESOLVED

--- Comment #3 from Marcel de Rooy <m.de.rooy at rijksmuseum.nl> ---
No, this is not a bug. This is design :) It always worked that way already. If
you log in via the OPAC, you have a session (+cookie) that allows you access to
staff too [when having sufficient permissions] when sharing the same domain
between OPAC and staff. So, 2FA works here as expected.

If you do not want that to happen, it is indeed a matter of configuration. Make
sure that OPAC and staff are not using the same domain. They wont share the
cookie, problem solved.

Thats not the final word imo though. We already have reports asking for e.g.
separate timeout settings for OPAC and staff/intranet sessions. We should imo
create a separate OPAC and staff session and session cookie. This probably wont
happen before refactoring/rewriting C4::Auth?
I couldnt find a report for separating the session so quickly, so I opened a
new one. But I think that it must have been submitted already in the past, only
with some other terms or so..

Bug 32385. Closing this one.

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.