[Bug 42494] New: Staff login through plugins/run.pl does not persist the new session cookie
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42494 Bug ID: 42494 Summary: Staff login through plugins/run.pl does not persist the new session cookie Initiative type: --- Sponsorship --- status: Product: Koha Version: Main Hardware: All OS: All Status: NEW Severity: minor Priority: P5 - low Component: Plugin architecture Assignee: koha-bugs@lists.koha-community.org Reporter: nugged@gmail.com QA Contact: testopia@bugs.koha-community.org When a staff user reaches a Koha plugin page directly while unauthenticated, Koha displays the normal staff login form. After submitting valid credentials, the plugin page renders for the current request, but the browser does not keep a usable authenticated staff session for the next request. Reloading the same plugin page asks for login again. If the same staff user first logs in through /cgi-bin/koha/mainpage.pl and then opens the same plugin URL, the plugin page can be reloaded repeatedly as expected. To recreate: 1. Use a staff user with permission to run a plugin tool/report. 2. Clear browser cookies or use a private browser window. 3. Go directly to a plugin run URL, for example: /cgi-bin/koha/plugins/run.pl?class=Koha::Plugin::...&method=tool 4. Submit the staff login form with valid credentials. 5. Confirm that the plugin page renders. 6. Reload the page. 7. Notice that Koha asks for login again. 8. Clear cookies or log out. 9. Log in through /cgi-bin/koha/mainpage.pl with the same staff user. 10. Open the same plugin URL and reload it several times. Actual result: The login through plugins/run.pl only works for the current request. The browser does not appear to receive/persist the new authenticated CGISESSID needed for later requests to the same plugin page. Expected result: Logging in through a plugin URL should persist the staff session in the same way as logging in through mainpage.pl. Technical note: plugins/run.pl calls get_template_and_user and receives the authentication cookie returned by checkauth. When plugins are enabled, run.pl delegates the response to Koha::Plugins::Handler and the plugin usually renders through Koha::Plugins::Base output helpers. That path does not currently carry the cookie returned by get_template_and_user into the plugin response, so the Set-Cookie header can be lost. This is related in spirit to bug 40943 / bug 37041, where code after login had to use the current authenticated session rather than stale request cookie state, but this issue is specific to plugin execution through plugins/run.pl. I will attach a proposed patch. It is intentionally offered for review as a candidate fix: it propagates the authentication cookie returned by get_template_and_user from plugins/run.pl through Koha::Plugins::Handler to the plugin output helpers, so might be not the best solution or have a backhole. Because this touches authentication cookie propagation for plugin responses, please review carefully from both QA and security perspectives. I am not aware of a privilege escalation here; the concern is that the proposed fix changes where Koha includes staff login cookies in plugin-generated responses. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42494 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dcook@prosentient.com.au --- Comment #1 from David Cook <dcook@prosentient.com.au> --- I thought OpenFifth already worked on this one. Hmm... what version? -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42494 --- Comment #2 from David Cook <dcook@prosentient.com.au> --- Ah wait I think I see what you mean. Nevermind. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42494 --- Comment #3 from Andrii Nugged <nugged@gmail.com> --- Created attachment 198332 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=198332&action=edit Bug 42494: Preserve staff login cookies for plugin responses Logging in directly through plugins/run.pl can authenticate the current request but fail to persist the new staff session in the browser. run.pl calls get_template_and_user, which creates or replaces the CGISESSID and returns the Set-Cookie header that must be sent with the response. Normal staff scripts pass that cookie to output_html_with_http_headers. Plugin requests delegate rendering to Koha::Plugins::Handler, and plugin methods may print responses through Koha::Plugins::Base helpers, so the cookie returned by get_template_and_user is not carried to that response path. The visible result is that a user can submit credentials on a plugin page once, but reloading the same plugin page prompts for login again. Logging in through mainpage.pl first avoids the problem because the browser already has a valid staff session cookie. This patch passes the staff login cookies from plugins/run.pl through Koha::Plugins::Handler to the plugin instance, then uses them as the default cookies for Koha::Plugins::Base response helpers and plugin home redirects. Explicit cookies passed by plugin code are still honoured. This applies to the shared plugin response helper path rather than to any single plugin or plugin method. Security note: This patch does not create or validate sessions itself. Session creation, replacement, and authentication remain in get_template_and_user/checkauth; this change only preserves the Set-Cookie values returned by that layer until the plugin response is printed. The outgoing staff login cookies are stored on the plugin object until the response helper is called. Perl does not make that private, so a plugin could technically inspect them. This does not change Koha's existing plugin trust model: installed plugins are already trusted server-side Perl code. Please review the authentication-cookie implications carefully. Plugins that bypass Koha::Plugins::Base and print raw headers remain responsible for their own response headers. The regression test covers Handler::run with plugin HTML output and verifies that the CGISESSID Set-Cookie header is emitted along with the plugin response. Test plan: 1. Apply patch. 2. Open a plugin URL in a browser without an existing staff session. 3. Log in from the plugin page. 4. Reload the same plugin URL and confirm it stays logged in instead of showing the login form again. 5. Log in through /cgi-bin/koha/mainpage.pl and confirm the plugin page still works with the normal staff session. 6. Run: prove -I. -It/lib t/db_dependent/Koha/Plugins/Plugins.t 7. Run: prove -I. -It/lib t/db_dependent/Auth.t -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42494 Andrii Nugged <nugged@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff --- Comment #4 from Andrii Nugged <nugged@gmail.com> --- One note: the patch is intentionally small, but it touches how staff authentication cookies are carried through the shared plugin response path. It fixes the observed login/reload issue, but I may not be able to predict every consequence for other plugin response patterns. I would appreciate detailed QA/security review of the approach, especially around whether Koha::Plugins::Base is the right place to preserve the cookie returned by get_template_and_user, and whether any plugin response types should be excluded or handled differently. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42494 --- Comment #5 from David Cook <dcook@prosentient.com.au> --- Thanks for providing a patch. That saves me a lot of time. I'll take a more in depth look later (it's already 5:31pm here), but I've taken a quick glance and it's looking pretty good at a glance. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42494 --- Comment #6 from Andrii Nugged <nugged@gmail.com> --- 🤗 -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org