[Bug 28592] New: ISE after paying through opac payment plugin
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28592 Bug ID: 28592 Summary: ISE after paying through opac payment plugin Change sponsored?: --- Product: Koha Version: 20.11 Hardware: All OS: All Status: NEW Severity: major Priority: P5 - low Component: OPAC Assignee: oleonard@myacpl.org Reporter: magnus@libriotech.no QA Contact: testopia@bugs.koha-community.org After upgrading to 20.11.06, we have a problem with using the koha-plugin-dibs-payments plugin for online payments: https://github.com/Libriotech/koha-plugin-dibs-payments After authenticating with the remote service the user is redirected back to <opac>/cgi-bin/koha/opac-account-pay-return.pl However, this page presents a login form, and the user is forced to log in. It looks like this happens because the value of the CGISESSID cookie is changed somewhere along the way. Or does it change because the login screen is presented? Not sure of what is cause and what is effect here. After logging in, the user is redirected (with a 303 status) to the same URL, but this time all the parameters that were POSTed the first time around are now included in the URL as one kind of weird GET parameter (note the semicolons between parameters): ?orderid=123;payment_method=Koha%3A%3APlugin%3A%3ACom%3A%3ABibLibre%3A%3ADIBSPayments;transact=123;authkey=abc etc The payment is recorded in the accountlines table, but koha_plugin_com_biblibre_dibspayments_dibs_transactions.accountline_id is left empty. As far as I can tell, checkauth is only used in two places in the opac, opac-account-pay-return.pl and opac-ratings.pl: $ sudo grep -rn "checkauth" /usr/share/koha/opac/cgi-bin/opac/opac-* /usr/share/koha/opac/cgi-bin/opac/opac-account-pay-return.pl:29:my ( $userid, $cookie, $sessionID, $flags ) = checkauth( $cgi, 0, {}, 'opac' ); /usr/share/koha/opac/cgi-bin/opac/opac-messaging.pl:24:use C4::Auth; # checkauth, getborrowernumber. /usr/share/koha/opac/cgi-bin/opac/opac-passwd.pl:25:use C4::Auth; # checkauth, getborrowernumber. /usr/share/koha/opac/cgi-bin/opac/opac-privacy.pl:22:use C4::Auth; # checkauth, getborrowernumber. /usr/share/koha/opac/cgi-bin/opac/opac-ratings.pl:40:my ($userid, $cookie, $sessionID) = checkauth( $query, 0, {}, 'opac' ); /usr/share/koha/opac/cgi-bin/opac/opac-reserve.pl:24:use C4::Auth; # checkauth, getborrowernumber. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28592 Jonathan Druart <jonathan.druart+koha@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |22543 CC| |jonathan.druart+koha@gmail. | |com --- Comment #1 from Jonathan Druart <jonathan.druart+koha@gmail.com> --- This is caused by: commit d20c9ff5882377793d311f3a7a4621c4bdc31469 Bug 22543: Prevent "back and refresh attack" Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22543 [Bug 22543] Patron might be logged in again using browser back button -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28592 --- Comment #2 from Jonathan Druart <jonathan.druart+koha@gmail.com> --- To recreate easily: * OPAC > Login > Privacy (/cgi-bin/koha/opac-privacy.pl) * MariaDB > delete from sessions; * Submit the form * Login again Notice the GET parameters -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28592 Jonathan Druart <jonathan.druart+koha@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Version|20.11 |unspecified -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28592 Kyle M Hall <kyle@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kyle@bywatersolutions.com --- Comment #3 from Kyle M Hall <kyle@bywatersolutions.com> --- (In reply to Jonathan Druart from comment #2)
To recreate easily: * OPAC > Login > Privacy (/cgi-bin/koha/opac-privacy.pl) * MariaDB > delete from sessions; * Submit the form * Login again
Notice the GET parameters
It isn't passing a 'userid' or 'password' field back, so the code from that bug should not be trigger. My question is; are you sure the Koha FQDN you are starting at is the same FQDN as the return URL? Check your opac base url. If you are starting from a url that does not match the opac base url, this exact scenario will happen because the cookie is for one FQDN but the redirect goes back to another! Even though two FQDNs can point to the same Koha instance, they will have separate cookies and thus logging into one will not mean you are logged in to the other! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28592 Owen Leonard <oleonard@myacpl.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Version|unspecified |master Assignee|oleonard@myacpl.org |kyle@bywatersolutions.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28592 --- Comment #4 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- Hi Magnus, were you able to resolve this with Kyle's suggestion? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28592 Magnus Enger <magnus@libriotech.no> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |WORKSFORME --- Comment #5 from Magnus Enger <magnus@libriotech.no> --- (In reply to Katrin Fischer from comment #4)
Hi Magnus, were you able to resolve this with Kyle's suggestion?
I don't think we have an ongoing problem with this, at least. Thanks for checking! -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org