https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37060 --- Comment #15 from David Cook <dcook@prosentient.com.au> --- (In reply to Jan Kissig from comment #14)
Hi there, I tried to implement what David said but somehow the authenticated cookie and the CRSF-token are bound together, and when I loose that token (but keep the session), there seems no chance of getting a valid token again.
So the cookie contains the session ID, and the CSRF token is bound to that session ID.
Wiki says: If you lose it for whatever reason, you can get a new Csrf-Token by using your authenticated cookie and sending a GET to /cgi-bin/koha/svc/authentication like you did in the first step. ---
The token I received by GET /cgi-bin/koha/svc/authentication will always throw "wrong_csrf_token" so I build a workaround by logging out if GET /cgi-bin/koha/svc/authentication returns a valid session (<status>ok</status>)
I've just confirmed your problem using curl, so I'll look into that. Something very odd going on here, especially since I'm sure this used to work... -- You are receiving this mail because: You are watching all bug changes.