https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37041 --- Comment #11 from Jonathan Druart <jonathan.druart@gmail.com> --- (In reply to Marcel de Rooy from comment #10)
(In reply to Jonathan Druart from comment #9)
There is something fundamentally wrong in the way we handle the session id. Which leads to this kind of problems.
Should we consider setting the session id in the L1 (actually in the userenv) so that we could have access to the current session id. So if a new one has been generated and is different than the one in the cookie of the request we can access it easily?
We would have then: check_cookie_auth( C4::context->{userenv}->{session_id}, $required_flags ); and not relying on CGI.
Another way would be to trick CGI and replace HTTP_COOKIE env var. But this seems very hacky and certainly not something recommended.
Looks easier to remove the newly added CGI in the value_builder scripts and block access in another way (RewriteRule or just move the files?).
Easier maybe but then we have something specific in the apache config we could avoid. I am asking if there is something "better", not "easier" ;)
The original design should not have used scripts here ..
Yes, but too late.
The tric with passing another session id feels hacky too?
It is not another session id, it is actually the *current* session id! -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.