[Koha-bugs] [Bug 31990] New: Shibboleth may redirect to opac if intranet and staff is served on same hostname.

Wed Oct 26 15:53:26 CEST 2022

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31990

            Bug ID: 31990
           Summary: Shibboleth may redirect to opac if intranet and staff
                    is served on same hostname.
 Change sponsored?: ---
           Product: Koha
           Version: master
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5 - low
         Component: Authentication
          Assignee: koha-bugs at lists.koha-community.org
          Reporter: bjorn.nylen at ub.lu.se
        QA Contact: testopia at bugs.koha-community.org
                CC: dpavlin at rot13.org

The issue seems to be caused by the session interface being stuck to 'opac' if
you serve both intranet and opac on the same hostname (different ports) and you
visit the opac page before trying to log into intranet. 

Using the same hostname will result in opac and intranet using the same session
cookie, ie same session which may confuse things.

Repoducable in koha testing docker:
1. Enable shibboleth in koha-conf.xml and add a stub configuration
   <shibboleth>
       <matchpoint>userid</matchpoint> <!-- koha borrower field to match upon
-->
       <mapping>
           <userid is="eduPersonID"></userid> <!-- koha borrower field to
shibboleth attribute mapping -->
       </mapping>
   </shibboleth>

2. Resatart everything
3. Visit opac
4. Visit staff. The shib-login link will be to the opac url.

Visiting staff before opac will not do the opposite though.
Issue arised when we upgraded to 22.05.

Possibly a side effect of Bug 29915 or Bug 29914? Not familiar enough to
actually say.

-- 
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.