[Bug 42634] New: Self-checkout Finish/logout does not reliably clear the JWT cookie
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42634 Bug ID: 42634 Summary: Self-checkout Finish/logout does not reliably clear the JWT cookie Initiative type: --- Sponsorship --- status: Product: Koha Version: Main Hardware: All OS: All Status: NEW Severity: minor Priority: P5 - low Component: OPAC Assignee: oleonard@myacpl.org Reporter: martin.renvoize@openfifth.co.uk QA Contact: testopia@bugs.koha-community.org On the web-based self-checkout (opac/sco/sco-main.pl), clicking the Finish/close button on the kiosk does not reliably end the patron session. The JS redirects the browser to ?op=logout, but the server-side response does not actually delete the JWT cookie - it emits an empty value with no Expires attribute, so the browser keeps a session-scoped empty cookie (or, in some intermediary/cache scenarios, retains the previous valid JWT). The patron remains logged in until the cookie genuinely expires, which presents as the Finish button "doing nothing" or working only intermittently. In opac/sco/sco-main.pl the Set-Cookie for JWT on logout is built as: -value => \$jwt // '', -expires => \$jwt ? '+1d' : '', Empty -expires produces a session cookie with an empty value rather than a deletion. The standard pattern for clearing a cookie is a past Expires, e.g. '-1d'. Test plan: 1. Enable web-based self-checkout (SelfCheckoutByLogin or IP-range). 2. Log in as a patron at /cgi-bin/koha/sco/sco-main.pl. 3. Open browser DevTools -> Application -> Cookies. Note the JWT cookie value. 4. Click the green "Finish" button. 5. Without the patch: observe Set-Cookie: JWT= on the ?op=logout response with no Expires; the JWT cookie may persist or be replaced with an empty session cookie that some browsers/proxies handle inconsistently. 6. Apply the patch and reload. Click Finish again. 7. Confirm Set-Cookie: JWT=; expires=<past>; ... is sent and the JWT cookie is removed from the browser entirely. 8. Confirm the kiosk reliably returns to the login screen and the next page load does not re-authenticate from a stale JWT. Sponsored-by: OpenFifth (Ticket #246176, John Innes Centre) -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42634 --- Comment #1 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 199250 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=199250&action=edit Bug 42634: Force JWT cookie deletion on self-checkout logout The web-based self-checkout (opac/sco/sco-main.pl) builds the response JWT cookie with -expires => $jwt ? '+1d' : ''. On logout $jwt is undef, so the cookie is sent with an empty value and no Expires attribute - i.e. a session cookie with an empty value rather than a deletion. Some browsers/proxies retain the previous valid JWT in this scenario, which presents as the Finish/close button "doing nothing" or working only intermittently: the patron appears to remain logged in despite clicking Finish. Use a past Expires ('-1d') when no JWT is present so the browser deletes the cookie entirely. The subsequent ?op=logout render cannot then rediscover the patron from a stale cookie. Test plan: 1. Enable web-based self-checkout (SelfCheckoutByLogin or SelfCheckAllowByIPRanges). 2. Log in as a patron at /cgi-bin/koha/sco/sco-main.pl. 3. Open DevTools -> Application -> Cookies and note the JWT cookie. 4. Click the green "Finish" button. 5. Without the patch: Set-Cookie on the ?op=logout response shows JWT= with no Expires; the cookie persists as an empty session cookie. 6. With the patch: Set-Cookie shows JWT=; expires=<past date>; the browser removes the cookie entirely. 7. Confirm the kiosk reliably returns to the login screen and subsequent page loads do not re-authenticate from a stale JWT. Sponsored-by: OpenFifth -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42634 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|oleonard@myacpl.org |dcook@prosentient.com.au -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42634 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42634 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |david@davidnind.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42634 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off Sponsorship status|--- |Sponsored Comma delimited| |OpenFifth list of Sponsors| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42634 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #199250|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42634 --- Comment #2 from David Nind <david@davidnind.com> --- Created attachment 199271 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=199271&action=edit Bug 42634: Force JWT cookie deletion on self-checkout logout The web-based self-checkout (opac/sco/sco-main.pl) builds the response JWT cookie with -expires => $jwt ? '+1d' : ''. On logout $jwt is undef, so the cookie is sent with an empty value and no Expires attribute - i.e. a session cookie with an empty value rather than a deletion. Some browsers/proxies retain the previous valid JWT in this scenario, which presents as the Finish/close button "doing nothing" or working only intermittently: the patron appears to remain logged in despite clicking Finish. Use a past Expires ('-1d') when no JWT is present so the browser deletes the cookie entirely. The subsequent ?op=logout render cannot then rediscover the patron from a stale cookie. Test plan: 1. Enable web-based self-checkout (SelfCheckoutByLogin or SelfCheckAllowByIPRanges). 2. Log in as a patron at /cgi-bin/koha/sco/sco-main.pl. 3. Open DevTools -> Application -> Cookies and note the JWT cookie. 4. Click the green "Finish" button. 5. Without the patch: Set-Cookie on the ?op=logout response shows JWT= with no Expires; the cookie persists as an empty session cookie. 6. With the patch: Set-Cookie shows JWT=; expires=<past date>; the browser removes the cookie entirely. 7. Confirm the kiosk reliably returns to the login screen and subsequent page loads do not re-authenticate from a stale JWT. Sponsored-by: OpenFifth Signed-off-by: David Nind <david@davidnind.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42634 Emily Lamancusa (emlam) <emily.lamancusa@montgomerycountymd.gov> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |emily.lamancusa@montgomeryc | |ountymd.gov -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42634 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|dcook@prosentient.com.au |martin.renvoize@openfifth.c | |o.uk QA Contact|testopia@bugs.koha-communit |dcook@prosentient.com.au |y.org | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42634 Emmi Takkinen <emmi.takkinen@koha-suomi.fi> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #199271|0 |1 is obsolete| | CC| |emmi.takkinen@koha-suomi.fi --- Comment #3 from Emmi Takkinen <emmi.takkinen@koha-suomi.fi> --- Created attachment 201531 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=201531&action=edit Bug 42634: Force JWT cookie deletion on self-checkout logout The web-based self-checkout (opac/sco/sco-main.pl) builds the response JWT cookie with -expires => $jwt ? '+1d' : ''. On logout $jwt is undef, so the cookie is sent with an empty value and no Expires attribute - i.e. a session cookie with an empty value rather than a deletion. Some browsers/proxies retain the previous valid JWT in this scenario, which presents as the Finish/close button "doing nothing" or working only intermittently: the patron appears to remain logged in despite clicking Finish. Use a past Expires ('-1d') when no JWT is present so the browser deletes the cookie entirely. The subsequent ?op=logout render cannot then rediscover the patron from a stale cookie. Test plan: 1. Enable web-based self-checkout (SelfCheckoutByLogin or SelfCheckAllowByIPRanges). 2. Log in as a patron at /cgi-bin/koha/sco/sco-main.pl. 3. Open DevTools -> Application -> Cookies and note the JWT cookie. 4. Click the green "Finish" button. 5. Without the patch: Set-Cookie on the ?op=logout response shows JWT= with no Expires; the cookie persists as an empty session cookie. 6. With the patch: Set-Cookie shows JWT=; expires=<past date>; the browser removes the cookie entirely. 7. Confirm the kiosk reliably returns to the login screen and subsequent page loads do not re-authenticate from a stale JWT. Sponsored-by: OpenFifth Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Emmi Takkinen <emmi.takkinen@koha-suomi.fi> -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org