https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37060 --- Comment #49 from Jan Kissig <bibliothek@th-wildau.de> --- (In reply to David Cook from comment #48)
(In reply to Jan Kissig from comment #47)
If KOCT is used in the same browser window as Koha, KOCT will use the cookie (and therefore the session) of the logged in Koha user. This alone can be confusing as when running the settings of KOCT a new login is performed and therefore the existing Koha session gets overwritten with the session of the KOCT user.
Could you explain this one a bit more?
I haven't used KOCT before so I don't know much about it. What's the KOCT user?
KOCT takes a staff users credentials to login to Koha. You have to set them in the settings of KOCT. If you want to test (firefox only), its easy to install via https://addons.mozilla.org/en/firefox/addon/koct/ and you can watch the http requests via development tools.
Overall, it sounds like using the REST API would be better than using offline_circ/service.pl although that would just delay resolving the cookie auth issue.
This would require to have offline circulation available in the REST API which is not the case yet..
This reminds me of a different bug where someone talked about having the cookie path be more specific than /.
Hmm food for thought...
GET /cgi-bin/koha/svc/authentication will only return failed when no cookie is set, otherwise it returns 'expired' or 'ok'.
This does not explain why sudden 403s appear. I only managed to get 403s when cookies were forbidden at all and the POST was only carrying the token (not the cookie)
No cookie? I wonder how it had a token but no cookie...
What do you mean by "when cookies were forbidden at all"?
This was achieved by setting the strictest cookie setting in my Firefox, which breaks nearly every web app.
I will analyze this a bit more, but is it possible not to have a session when using the /cgi-bin/koha/svc/authentication endpoint?
Only for GETs. POSTs have to have a session and a CSRF token.
Maybe we should find out if libraries use KOCT and also have received the 'wrong CSRF-token' issue as in my test it never occurred. I will ask on mattermost -- You are receiving this mail because: You are watching all bug changes.