https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38327 --- Comment #12 from David Cook <dcook@prosentient.com.au> --- (In reply to Jan Kissig from comment #10)
I took a look at the network requests: On a pivate window I opened my bookmark to /cgi-bin/koha/mainpage.pl it returned a cookie with CGISESSID 67cd... the fetch on document.ready to /cgi-bin/koha/svc/report?id=9 used this cookie (67cd...) in the request but got a new CGISESSID 0bc5...
Now I enter the login and submit the page which uses 0bc5...
I understand why CSRF-check is failing here as the login-form is linked to the first session 67cd
The problem is that the fetch, although it used the given session id, got a new in response which replaced the original.
I solved it by only sending the fetch if the login was successful
Alternatively, you can send the cookie provided by /cgi-bin/koha/mainpage.pl to the endpoint /cgi-bin/koha/svc/report?id=9 I don't know how your Javascript is written, but do some googling around for things like: const xhr = new XMLHttpRequest(); xhr.withCredentials = true; With fetch, set the "credentials" option to "same-origin" or "include" (depending on your situation). With $.ajax, set xhrFields with "withCredentials: true". I think you probably get my point here. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.