https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34755 --- Comment #17 from David Cook <dcook@prosentient.com.au> --- (In reply to David Cook from comment #16)
I was trying my best to break my sessions, and I did manage to reproduce the problem, but I can't recall exactly how.
So I'm going to keep trying again (more carefully).
Ok so one way to do it would be to do the following: 1. Go to http://localhost:8080 2. Click "Log in with Keycloak" but don't log in 3. In a new tab, go to http://localhost:8080, and do a local login 4. Log out of the local login 5. Go back to original tab and complete the Keycloak login You'll get a wrong_csrf_token because the CGISESSID cookie value has changed. An anonymous user becoming an authenticated user will keep the same session ID, but an authenticated user becoming an anonymous user will lose their session ID. You should be getting the wrong_csrf_token warning in this case. -- You are receiving this mail because: You are watching all bug changes.