https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40736 --- Comment #9 from David Cook <dcook@prosentient.com.au> --- (In reply to Lari Taskula from comment #7)
(In reply to David Cook from comment #4)
Lari: Which version of Koha are you using? 25.05.02 and 24.11.06
Cool I have a 24.11 I can test off easily, and I'll check main as well.
(In reply to David Cook from comment #2) Would there be any downsides of having the endpoint generate the CGISESSID in case it is missing? Out of curiosity wouldn't it be useful to do so for external applications wanting to OIDC-authenticate an user to Koha to gain access to its authorized REST API endpoints?
I'd say that's actually a CSRF security vulnerability.
By bare minimum we have to handle the exception by checking the existence of CGISESSID and responding with a HTTP 400 (bad request) in case it is missing, and perhaps log a warning instead of an error, if the logging of this event is wanted in the first place.
Yeah, certainly needs some code improvement there. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.