[Bug 29543] Self-checkout allows returning everybody's loans
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29543 --- Comment #55 from Jonathan Druart <jonathan.druart+koha@gmail.com> --- (In reply to Marcel de Rooy from comment #50)
Question when looking in sco-main
my $jwt = $query->cookie('JWT'); if ($op eq "logout") { $template->param( loggedout => 1 ); $query->param( patronlogin => undef, patronpw => undef ); undef $jwt; }
Shouldnt we do some cleaning up here and just exit ?
exit and what? Here we are going to display the login form, that's the expected behaviour (In reply to Marcel de Rooy from comment #51)
Hmm. Why are we doing this in sco-main:
L47 my ( $template, $loggedinuser, $cookie ) = get_template_and_user( So the CGISESSID cookie is used here and we check permissions.
We check authentication for the staff member (who has logged in, or the credential from the sysprefs)
L371 $cookie = $query->cookie( -name => 'JWT', We create a new cookie JWT. But ignore the session cookie.
The JWT is used to authorised the OPAC user that has been authenticate in the previous step (cardnumber or login+password, depending on SelfCheckoutByLogin.
L381 output_html_with_http_headers $query, $cookie, $template->output, undef, { force_no_caching => 1 }; We output now without the CGISESSID, only JWT. Why dont you pass the session cookie? You could pass something like [ $cookie1, $cookie2 ] ?
I think CGISESSID is in the CGI object already. (In reply to Marcel de Rooy from comment #52)
L362 csrf_token => Koha::Token->new->generate_csrf( { session_id => scalar $query->cookie('CGISESSID') . $patron->cardnumber, id => $patron->userid } ),
Where is the corresponding csrf check?
in sco-patron-image.pl (In reply to Marcel de Rooy from comment #53)
Iiuc JWT is not encrypted. So this may be a bit more secure, but could be improved.
It is encoded using a secret, see Koha::Token::_gen_jwt -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org