[Bug 10016] New: SelfCheckTimeout not logging patron out
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10016 Bug ID: 10016 Summary: SelfCheckTimeout not logging patron out Classification: Unclassified Change sponsored?: --- Product: Koha Version: 3.10 Hardware: All OS: All Status: NEW Severity: critical Priority: P5 - low Component: Circulation Assignee: koha-bugs@lists.koha-community.org Reporter: nengard@gmail.com CC: gmcharlt@gmail.com, kyle.m.hall@gmail.com Received via email: --------------- I also just discovered that the system preference SelfCheckTimeout which says it's supposed to "Time our the current patron's web-based self checkout system login" after a certain number of second only really returns to the self-check login screen. It's still possible to navigate back, see previous patron checkouts and check out items. ----------- Found in Koha 3.10.3 -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10016 Nicole C. Engard <nengard@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |http://bugs.koha-community. | |org/bugzilla3/show_bug.cgi? | |id=10009 -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10016 Owen Leonard <oleonard@myacpl.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Version|3.10 |master --- Comment #1 from Owen Leonard <oleonard@myacpl.org> --- Confirmed in master. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10016 --- Comment #2 from Galen Charlton <gmcharlt@gmail.com> --- Telling the browser not to cache self-check pages should resolve this -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10016 --- Comment #3 from Galen Charlton <gmcharlt@gmail.com> --- (In reply to Galen Charlton from comment #2)
Telling the browser not to cache self-check pages should resolve this
It does already use a no-cache Cache-control directive; some preliminary testing indicates that adding max-age=0 to the cache-control directive should do it. Working on a patch. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10016 Galen Charlton <gmcharlt@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff Patch complexity|--- |Small patch -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10016 --- Comment #4 from Galen Charlton <gmcharlt@gmail.com> --- Created attachment 22115 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=22115&action=edit bug 10016: munge history in SCO to discourage resubmitting user login This patch uses history.replaceState (introduced in HTML5) to manipulate the browser history to encourage returning to the SCO patron barcode form if the back button is used. Note that a side effect of this patch is that if the user uses the help link, they will be prompted to enter their barcode again. It may be better to put the help inline with the rest of the SCO forms. To test: [1] Start a web-based self-check session. [2] Enter a patron barcode. [3] Allow the self-check session to time out. [4] Use the back button. You should get the patron barcode entry form; you should not be prompted to resubmit form input. [5] Enter a patron barcode, perform some transactions, then use the finish button. [6] Next, use the back button. You should get the patron barcode entry form. Signed-off-by: Galen Charlton <gmc@esilibrary.com> -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10016 Galen Charlton <gmcharlt@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #22115|0 |1 is obsolete| | --- Comment #5 from Galen Charlton <gmcharlt@gmail.com> --- Created attachment 22116 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=22116&action=edit Bug 10016: force zero browser-side caching of SCO pages This patch makes the web-based self-check module pages specify that no browser (or proxy caching) occur at all. This prevents a security issue where letting the SCO session time out, then hitting the back button allowed one to view the previous patron's session. This patch adds an optional fifth parameter to output_with_http_headers(), and output_html_with_http_headers(), a hashref for miscellaneous options. One key is defined at the moment: force_no_caching, which if if present and set to a true value, sets HTTP headers to specify no browser caching of the page at all. To test: [1] Start a web-based self-check session and optionally perform some transactions. [2] Allow the session to time out (it may be helpful to set SelfCheckTimeout to a low value such as 10 seconds). [3] Hit the back button. You should not see the previous patron's self-check session. [4] Verify that prove -v t/Output.t passes. Signed-off-by: Galen Charlton <gmc@esilibrary.com> -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10016 --- Comment #6 from Galen Charlton <gmcharlt@gmail.com> --- Created attachment 22117 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=22117&action=edit bug 10016: munge history in SCO to discourage resubmitting user login This patch uses history.replaceState (introduced in HTML5) to manipulate the browser history to encourage returning to the SCO patron barcode form if the back button is used. Note that a side effect of this patch is that if the user uses the help link, they will be prompted to enter their barcode again. It may be better to put the help inline with the rest of the SCO forms. To test: [1] Start a web-based self-check session. [2] Enter a patron barcode. [3] Allow the self-check session to time out. [4] Use the back button. You should get the patron barcode entry form; you should not be prompted to resubmit form input. [5] Enter a patron barcode, perform some transactions, then use the finish button. [6] Next, use the back button. You should get the patron barcode entry form. Signed-off-by: Galen Charlton <gmc@esilibrary.com> -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10016 Ed Veal <ed.veal@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ed.veal@bywatersolutions.co | |m --- Comment #7 from Ed Veal <ed.veal@bywatersolutions.com> --- I tested this bug in both Chrome and Firefox 24 (on a mac). It worked in Chrome but in firefox I got the following error when doing step 4 of the test plan. http://edveal.test.bywatersolutions.com/cgi-bin/koha/sco/undefined An error has occurred Error 404 This error means that the link was broken and that the page doesn't exist. To report this error, you can email the Koha Administrator. Return to the catalog home page. Ed -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10016 Ed Veal <ed.veal@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Failed QA -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10016 Galen Charlton <gmcharlt@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Failed QA |Needs Signoff -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10016 Galen Charlton <gmcharlt@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #22116|0 |1 is obsolete| | Attachment #22117|0 |1 is obsolete| | --- Comment #8 from Galen Charlton <gmcharlt@gmail.com> --- Created attachment 22126 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=22126&action=edit Bug 10016: force zero browser-side caching of SCO pages This patch makes the web-based self-check module pages specify that no browser (or proxy caching) occur at all. This prevents a security issue where letting the SCO session time out, then hitting the back button allowed one to view the previous patron's session. This patch adds an optional fifth parameter to output_with_http_headers(), and output_html_with_http_headers(), a hashref for miscellaneous options. One key is defined at the moment: force_no_caching, which if if present and set to a true value, sets HTTP headers to specify no browser caching of the page at all. To test: [1] Start a web-based self-check session and optionally perform some transactions. [2] Allow the session to time out (it may be helpful to set SelfCheckTimeout to a low value such as 10 seconds). [3] Hit the back button. You should not see the previous patron's self-check session. [4] Verify that prove -v t/Output.t passes. Signed-off-by: Galen Charlton <gmc@esilibrary.com> -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10016 --- Comment #9 from Galen Charlton <gmcharlt@gmail.com> --- Created attachment 22127 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=22127&action=edit bug 10016: munge history in SCO to discourage resubmitting user login This patch uses history.replaceState (introduced in HTML5) to manipulate the browser history to encourage returning to the SCO patron barcode form if the back button is used. Note that a side effect of this patch is that if the user uses the help link, they will be prompted to enter their barcode again. It may be better to put the help inline with the rest of the SCO forms. To test: [1] Start a web-based self-check session. [2] Enter a patron barcode. [3] Allow the self-check session to time out. [4] Use the back button. You should get the patron barcode entry form; you should not be prompted to resubmit form input. [5] Enter a patron barcode, perform some transactions, then use the finish button. [6] Next, use the back button. You should get the patron barcode entry form. Signed-off-by: Galen Charlton <gmc@esilibrary.com> -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10016 --- Comment #10 from Ed Veal <ed.veal@bywatersolutions.com> --- Created attachment 22129 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=22129&action=edit [SIGN-OFF]bug 10016: munge history in SCO to discourage resubmitting user login This patch uses history.replaceState (introduced in HTML5) to manipulate the browser history to encourage returning to the SCO patron barcode form if the back button is used. Note that a side effect of this patch is that if the user uses the help link, they will be prompted to enter their barcode again. It may be better to put the help inline with the rest of the SCO forms. To test: [1] Start a web-based self-check session. [2] Enter a patron barcode. [3] Allow the self-check session to time out. [4] Use the back button. You should get the patron barcode entry form; you should not be prompted to resubmit form input. [5] Enter a patron barcode, perform some transactions, then use the finish button. [6] Next, use the back button. You should get the patron barcode entry form. Signed-off-by: Galen Charlton <gmc@esilibrary.com> Signed-off-by: Ed Veal <ed.veal@bywatersolutions.com> -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10016 Ed Veal <ed.veal@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10016 Ed Veal <ed.veal@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #22126|0 |1 is obsolete| | Attachment #22127|0 |1 is obsolete| | Attachment #22129|0 |1 is obsolete| | --- Comment #11 from Ed Veal <ed.veal@bywatersolutions.com> --- Created attachment 22130 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=22130&action=edit Bug 10016: force zero browser-side caching of SCO pages This patch makes the web-based self-check module pages specify that no browser (or proxy caching) occur at all. This prevents a security issue where letting the SCO session time out, then hitting the back button allowed one to view the previous patron's session. This patch adds an optional fifth parameter to output_with_http_headers(), and output_html_with_http_headers(), a hashref for miscellaneous options. One key is defined at the moment: force_no_caching, which if if present and set to a true value, sets HTTP headers to specify no browser caching of the page at all. To test: [1] Start a web-based self-check session and optionally perform some transactions. [2] Allow the session to time out (it may be helpful to set SelfCheckTimeout to a low value such as 10 seconds). [3] Hit the back button. You should not see the previous patron's self-check session. [4] Verify that prove -v t/Output.t passes. Signed-off-by: Galen Charlton <gmc@esilibrary.com> Signed-off-by: Ed Veal <ed.veal@bywatersolutions.com> -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10016 Ed Veal <ed.veal@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #22130|0 |1 is obsolete| | --- Comment #12 from Ed Veal <ed.veal@bywatersolutions.com> --- Created attachment 22131 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=22131&action=edit Bug 10016: force zero browser-side caching of SCO pages This patch makes the web-based self-check module pages specify that no browser (or proxy caching) occur at all. This prevents a security issue where letting the SCO session time out, then hitting the back button allowed one to view the previous patron's session. This patch adds an optional fifth parameter to output_with_http_headers(), and output_html_with_http_headers(), a hashref for miscellaneous options. One key is defined at the moment: force_no_caching, which if if present and set to a true value, sets HTTP headers to specify no browser caching of the page at all. To test: [1] Start a web-based self-check session and optionally perform some transactions. [2] Allow the session to time out (it may be helpful to set SelfCheckTimeout to a low value such as 10 seconds). [3] Hit the back button. You should not see the previous patron's self-check session. [4] Verify that prove -v t/Output.t passes. Signed-off-by: Galen Charlton <gmc@esilibrary.com> Signed-off-by: Ed Veal <ed.veal@bywatersolutions.com> -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10016 --- Comment #13 from Ed Veal <ed.veal@bywatersolutions.com> --- Created attachment 22132 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=22132&action=edit [SIGN-OFF]bug 10016: munge history in SCO to discourage resubmitting user login This patch uses history.replaceState (introduced in HTML5) to manipulate the browser history to encourage returning to the SCO patron barcode form if the back button is used. Note that a side effect of this patch is that if the user uses the help link, they will be prompted to enter their barcode again. It may be better to put the help inline with the rest of the SCO forms. To test: [1] Start a web-based self-check session. [2] Enter a patron barcode. [3] Allow the self-check session to time out. [4] Use the back button. You should get the patron barcode entry form; you should not be prompted to resubmit form input. [5] Enter a patron barcode, perform some transactions, then use the finish button. [6] Next, use the back button. You should get the patron barcode entry form. Signed-off-by: Galen Charlton <gmc@esilibrary.com> Signed-off-by: Ed Veal <ed.veal@bywatersolutions.com> -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10016 Brendan Gallagher <brendan@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #22131|0 |1 is obsolete| | Attachment #22132|0 |1 is obsolete| | --- Comment #14 from Brendan Gallagher <brendan@bywatersolutions.com> --- Created attachment 22140 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=22140&action=edit [PASSED-QA] Bug 10016: force zero browser-side caching of SCO pages This patch makes the web-based self-check module pages specify that no browser (or proxy caching) occur at all. This prevents a security issue where letting the SCO session time out, then hitting the back button allowed one to view the previous patron's session. This patch adds an optional fifth parameter to output_with_http_headers(), and output_html_with_http_headers(), a hashref for miscellaneous options. One key is defined at the moment: force_no_caching, which if if present and set to a true value, sets HTTP headers to specify no browser caching of the page at all. To test: [1] Start a web-based self-check session and optionally perform some transactions. [2] Allow the session to time out (it may be helpful to set SelfCheckTimeout to a low value such as 10 seconds). [3] Hit the back button. You should not see the previous patron's self-check session. [4] Verify that prove -v t/Output.t passes. Signed-off-by: Galen Charlton <gmc@esilibrary.com> Signed-off-by: Ed Veal <ed.veal@bywatersolutions.com> Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com> -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10016 --- Comment #15 from Brendan Gallagher <brendan@bywatersolutions.com> --- Created attachment 22141 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=22141&action=edit [PASSED-QA] bug 10016: munge history in SCO to discourage resubmitting user login This patch uses history.replaceState (introduced in HTML5) to manipulate the browser history to encourage returning to the SCO patron barcode form if the back button is used. Note that a side effect of this patch is that if the user uses the help link, they will be prompted to enter their barcode again. It may be better to put the help inline with the rest of the SCO forms. To test: [1] Start a web-based self-check session. [2] Enter a patron barcode. [3] Allow the self-check session to time out. [4] Use the back button. You should get the patron barcode entry form; you should not be prompted to resubmit form input. [5] Enter a patron barcode, perform some transactions, then use the finish button. [6] Next, use the back button. You should get the patron barcode entry form. Signed-off-by: Galen Charlton <gmc@esilibrary.com> Signed-off-by: Ed Veal <ed.veal@bywatersolutions.com> Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com> -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10016 Brendan Gallagher <brendan@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA CC| |brendan@bywatersolutions.co | |m -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10016 Galen Charlton <gmcharlt@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Passed QA |Pushed to Master --- Comment #16 from Galen Charlton <gmcharlt@gmail.com> --- Pushed to master. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10016 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to Master |Pushed to Stable CC| |tomascohen@gmail.com --- Comment #17 from Tomás Cohen Arazi <tomascohen@gmail.com> --- This patch has been pushed to 3.12.x, will be in 3.12.7. Thanks Galen! -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org