https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37060 --- Comment #48 from David Cook <dcook@prosentient.com.au> --- (In reply to Jan Kissig from comment #47)
If KOCT is used in the same browser window as Koha, KOCT will use the cookie (and therefore the session) of the logged in Koha user. This alone can be confusing as when running the settings of KOCT a new login is performed and therefore the existing Koha session gets overwritten with the session of the KOCT user.
Could you explain this one a bit more? I haven't used KOCT before so I don't know much about it. What's the KOCT user? Overall, it sounds like using the REST API would be better than using offline_circ/service.pl although that would just delay resolving the cookie auth issue. This reminds me of a different bug where someone talked about having the cookie path be more specific than /. Hmm food for thought...
GET /cgi-bin/koha/svc/authentication will only return failed when no cookie is set, otherwise it returns 'expired' or 'ok'.
This does not explain why sudden 403s appear. I only managed to get 403s when cookies were forbidden at all and the POST was only carrying the token (not the cookie)
No cookie? I wonder how it had a token but no cookie... What do you mean by "when cookies were forbidden at all"?
I will analyze this a bit more, but is it possible not to have a session when using the /cgi-bin/koha/svc/authentication endpoint?
Only for GETs. POSTs have to have a session and a CSRF token. -- You are receiving this mail because: You are watching all bug changes.