https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42634 Emmi Takkinen <emmi.takkinen@koha-suomi.fi> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #199271|0 |1 is obsolete| | CC| |emmi.takkinen@koha-suomi.fi --- Comment #3 from Emmi Takkinen <emmi.takkinen@koha-suomi.fi> --- Created attachment 201531 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=201531&action=edit Bug 42634: Force JWT cookie deletion on self-checkout logout The web-based self-checkout (opac/sco/sco-main.pl) builds the response JWT cookie with -expires => $jwt ? '+1d' : ''. On logout $jwt is undef, so the cookie is sent with an empty value and no Expires attribute - i.e. a session cookie with an empty value rather than a deletion. Some browsers/proxies retain the previous valid JWT in this scenario, which presents as the Finish/close button "doing nothing" or working only intermittently: the patron appears to remain logged in despite clicking Finish. Use a past Expires ('-1d') when no JWT is present so the browser deletes the cookie entirely. The subsequent ?op=logout render cannot then rediscover the patron from a stale cookie. Test plan: 1. Enable web-based self-checkout (SelfCheckoutByLogin or SelfCheckAllowByIPRanges). 2. Log in as a patron at /cgi-bin/koha/sco/sco-main.pl. 3. Open DevTools -> Application -> Cookies and note the JWT cookie. 4. Click the green "Finish" button. 5. Without the patch: Set-Cookie on the ?op=logout response shows JWT= with no Expires; the cookie persists as an empty session cookie. 6. With the patch: Set-Cookie shows JWT=; expires=<past date>; the browser removes the cookie entirely. 7. Confirm the kiosk reliably returns to the login screen and subsequent page loads do not re-authenticate from a stale JWT. Sponsored-by: OpenFifth Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Emmi Takkinen <emmi.takkinen@koha-suomi.fi> -- You are receiving this mail because: You are watching all bug changes.