[Koha-bugs] [Bug 29543] Self-checkout allows returning everybody's loans
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Tue Feb 8 16:27:46 CET 2022
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29543
--- Comment #55 from Jonathan Druart <jonathan.druart+koha at gmail.com> ---
(In reply to Marcel de Rooy from comment #50)
> Question when looking in sco-main
>
> my $jwt = $query->cookie('JWT');
> if ($op eq "logout") {
> $template->param( loggedout => 1 );
> $query->param( patronlogin => undef, patronpw => undef );
> undef $jwt;
> }
>
> Shouldnt we do some cleaning up here and just exit ?
exit and what? Here we are going to display the login form, that's the expected
behaviour
(In reply to Marcel de Rooy from comment #51)
> Hmm. Why are we doing this in sco-main:
>
> L47
> my ( $template, $loggedinuser, $cookie ) = get_template_and_user(
> So the CGISESSID cookie is used here and we check permissions.
We check authentication for the staff member (who has logged in, or the
credential from the sysprefs)
> L371
> $cookie = $query->cookie( -name => 'JWT',
> We create a new cookie JWT. But ignore the session cookie.
The JWT is used to authorised the OPAC user that has been authenticate in the
previous step (cardnumber or login+password, depending on SelfCheckoutByLogin.
> L381
> output_html_with_http_headers $query, $cookie, $template->output, undef, {
> force_no_caching => 1 };
> We output now without the CGISESSID, only JWT.
> Why dont you pass the session cookie?
> You could pass something like [ $cookie1, $cookie2 ] ?
I think CGISESSID is in the CGI object already.
(In reply to Marcel de Rooy from comment #52)
> L362
> csrf_token => Koha::Token->new->generate_csrf( {
> session_id => scalar $query->cookie('CGISESSID') . $patron->cardnumber, id
> => $patron->userid } ),
>
> Where is the corresponding csrf check?
in sco-patron-image.pl
(In reply to Marcel de Rooy from comment #53)
> Iiuc JWT is not encrypted. So this may be a bit more secure, but could be
> improved.
It is encoded using a secret, see Koha::Token::_gen_jwt
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list