https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38327 --- Comment #10 from Jan Kissig <bibliothek@th-wildau.de> --- (In reply to David Cook from comment #9)
Btw which AJAX call were you making? We might want to fix that endpoint to not send back a cookie.
I think that there might be a bug report where we talked about that topic specifically...
on an private window with cookies deleted I opened(In reply to David Cook from comment #8)
(In reply to Jan Kissig from comment #7)
I have to correct my last comment: I had an AJAX call included via intranetuserjs on mainpage which fetched an internal report on $(document).ready().
When I disabled the fetch of the report the recreation of the behavior was not possible. So it seems connected to the AJAX-call after the DOM was built.
This has already been discussed somewhere...
When Koha rendered mainpage.pl, it would've sent you CGISESSID cookie with an anonymous session ID and it rendered the page with a CSRF token linked to that session ID.
When your AJAX call made a call, it probably didn't send that CGISESSID cookie.
When your AJAX call gets a response, it probably includes a new CGISESSID cookie with a new anonymous session ID, which overwrites the original CGISESSID cookie.
When you submit your login, you're using the new CGISESSID cookie and the CSRF token linked to the old CGISESSID cookie.
So it'll never work.
--
If you update your AJAX call to send with the CGISESSID cookie, you should be fine.
I took a look at the network requests: On a pivate window I opened my bookmark to /cgi-bin/koha/mainpage.pl it returned a cookie with CGISESSID 67cd... the fetch on document.ready to /cgi-bin/koha/svc/report?id=9 used this cookie (67cd...) in the request but got a new CGISESSID 0bc5... Now I enter the login and submit the page which uses 0bc5... I understand why CSRF-check is failing here as the login-form is linked to the first session 67cd The problem is that the fetch, although it used the given session id, got a new in response which replaced the original. I solved it by only sending the fetch if the login was successful -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.