https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38327 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=36514 --- Comment #4 from David Cook <dcook@prosentient.com.au> --- When I heard about this one on Mattermost, I was thinking about bug 36586 In this case... it is probably related to bug 36514. Because if you're kicked out of Koha without a new anonymous session, you won't have a valid session, and thus won't be able to generate a valid CSRF token, so you'll get that 403 error. -- Looking at check_cookie_auth in C4::Auth, I can see the following: 1846 if ( !$lasttime || ( $lasttime < time() - $timeout ) ) { 1847 # time out 1848 $session->delete(); 1849 $session->flush; 1850 return ("expired", undef); I reckon that's the problem you're describing here. -- There's probably a bunch of places where we delete the session instead of removing the authenticated session and replacing with an anonymous session. But... needs more investigating. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.