https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42634 --- Comment #1 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 199250 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=199250&action=edit Bug 42634: Force JWT cookie deletion on self-checkout logout The web-based self-checkout (opac/sco/sco-main.pl) builds the response JWT cookie with -expires => $jwt ? '+1d' : ''. On logout $jwt is undef, so the cookie is sent with an empty value and no Expires attribute - i.e. a session cookie with an empty value rather than a deletion. Some browsers/proxies retain the previous valid JWT in this scenario, which presents as the Finish/close button "doing nothing" or working only intermittently: the patron appears to remain logged in despite clicking Finish. Use a past Expires ('-1d') when no JWT is present so the browser deletes the cookie entirely. The subsequent ?op=logout render cannot then rediscover the patron from a stale cookie. Test plan: 1. Enable web-based self-checkout (SelfCheckoutByLogin or SelfCheckAllowByIPRanges). 2. Log in as a patron at /cgi-bin/koha/sco/sco-main.pl. 3. Open DevTools -> Application -> Cookies and note the JWT cookie. 4. Click the green "Finish" button. 5. Without the patch: Set-Cookie on the ?op=logout response shows JWT= with no Expires; the cookie persists as an empty session cookie. 6. With the patch: Set-Cookie shows JWT=; expires=<past date>; the browser removes the cookie entirely. 7. Confirm the kiosk reliably returns to the login screen and subsequent page loads do not re-authenticate from a stale JWT. Sponsored-by: OpenFifth -- You are receiving this mail because: You are watching all bug changes.