[Koha-bugs] [Bug 29957] Cookies not removed after logout

[bugzilla-daemon at bugs.koha-community.org]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29957

--- Comment #76 from Jonathan Druart <jonathan.druart+koha at gmail.com> ---
(In reply to Marcel de Rooy from comment #75)
> (In reply to Jonathan Druart from comment #74)
> > Those patches don't apply on top of bug 29915 and bug 28786. At this point I
> > think they should go first.
> 
> I will rebase them when needed. 29915 is PQA, I would let the RM push it now.
> 
> > You are deciding to list the cookie to remove whereas I think we decided the
> > reverse, and clear them all by default. Even, as we don't want to keep the
> > language, why should we let the possibility to keep some?
> 
> I am not aware of a community decision here. The discussion showed me that
> it would be more acceptable to differentiate between cookies to keep and
> remove. And this patch set makes that possible via an allow list. 
> The language cookie might be an excellent example to keep.
> If there is concensus to use a deny list here, that is adjusted easily. Do
> you want me to ask on the dev ML? 

Only Martin and me so far (comments #14 and #15)
The problem is: how do you maintain it? I am assuming that we want to clear a
cookie by default, so how sysops will maintain this list up-to-date? They will
have to know if a new cookie has been added to a given version. Seems a
nightmare.

> > To me, cookies are tied to the session, on logout should just remove them
> > all.
> Not all Koha cookies are session based. Some have a long expiry.
> Logout will now clear all cookies that you want to clear. Session cookies
> are normally cleared when you close the browser.
> Note that a considerable number of users may not logout, but closes the
> browser.

I am not aware of cookies we want to keep in Koha after a logout. We proved
earlier that even "language" was not a good pick.

-- 
You are receiving this mail because:
You are watching all bug changes.