https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37041 --- Comment #34 from Jonathan Druart <jonathan.druart@gmail.com> --- (In reply to Jonathan Druart from comment #33)
I have a similar bug, but on.... all pages.
It's not directly related to this bug report, but noting it here.
diff --git a/Koha/Token.pm b/Koha/Token.pm index 4a806b0e371..150c74e69e5 100644 --- a/Koha/Token.pm +++ b/Koha/Token.pm @@ -130,7 +130,11 @@ sub generate_csrf { my ( $self, $params ) = @_; return if !$params->{session_id}; $params = _add_default_csrf_params( $params ); - return $self->generate({ %$params, type => 'CSRF' }); + warn "GEN"; + use Data::Printer colored => 1; warn p $params; + my $token = $self->generate({ %$params, type => 'CSRF' }); + warn $token; + return $token; }
=head2 generate_jwt @@ -181,6 +185,8 @@ sub check { sub check_csrf { my ( $self, $params ) = @_; return if !$params->{session_id}; + warn "CHECK"; + use Data::Printer colored => 1; warn p $params; $params = _add_default_csrf_params( $params ); my $c = $self->check({ %$params, type => 'CSRF' });
Hit the mainpage
session table and cookie have 9abb01d0bceff507f39bdb0f1de11cb0 GEN { id "anonymous_9abb01d0bceff507f39bdb0f1de11cb0", secret "X03MO1qnZdYdgyfeuILPmQ", session_id "9abb01d0bceff507f39bdb0f1de11cb0" (dualvar: 9) } 41e446085fd0cb1caa56510a83ba699cd94abe81, 2ee4a96fd95b06120f683e38f32c749eb5584b2c,1735765447
fill login form in, submit
CHECK { session_id "25d62876954877dc50dad7548e3707bb" (dualvar: 25), token "41e446085fd0cb1caa56510a83ba699cd94abe81, 2ee4a96fd95b06120f683e38f32c749eb5584b2c,1735765447" (dualvar: Inf) } wrong_csrf_token
GEN # New token is generated with another session id as we display again the login form { id "anonymous_8e19eed358a168c842d0f1642cc21e52", secret "X03MO1qnZdYdgyfeuILPmQ", session_id "8e19eed358a168c842d0f1642cc21e52" (dualvar: 8e+19) }
3cce1ca26137eb16f04489553adeccd0519a38aa, a1e17bfd4720d2e38a37c04cfb5a9a92c8fd4a3f,1735765498
Session table has 8e19eed358a168c842d0f1642cc21e52 9abb01d0bceff507f39bdb0f1de11cb0
Where is coming from the session's ID from the CHECK??25d62876954877dc50dad7548e3707bb
Cleared all the data from browser's storage, same problem.
Open a private window fixes the problem.
I don't have time right now to investigate it more.
For an unknown reason I had the request header's cookie set to "Cookie: CGISESSID=4a076c38dbe04901e90ef270f88b6a53; CGISESSID=25d62876954877dc50dad7548e3707bb" The second value didn't appear in Storage > Cookie I had to remove the cookies from the browser's settings. There is certainly a bug in our code, or at least we should catch this problem. -- You are receiving this mail because: You are watching all bug changes.