It's possible that the login form is generated with one session and then another session is created before the token from the first session is checked.
The value of $csrf_status in the _chk_csrf subroutine in Koha/Token.pm should specify the exact error (0 is OK, 1 is expired, 2 is invalid, 3 is malformed). If it's not set, then there's something wrong with $params.
I would compare $params->{id} in the _gen_csrf and _chk_csrf subroutines. They should both begin with "anonymous" since you haven't logged in yet, but they might have different session ids. The value of $params->{secret} is likely the same in both, but would
cause a problem if it was different.
If _gen_csrf is not being called, there could be some caching issue.
Hopefully this provides a good start. Let us know what you find.
We have been using Koha for about 1-1/2 years now but we don’ consider ourselves Koha experts. I upgraded our Koha development environment system from 23.05.11 to 24.05.00 last week. It is running in an Ubuntu 22.04.4 LTS (5.15.0-112-generic
#122-Ubuntu SMP) in an AMD virtual machine. The system has a 40G disk with 15G available. It has a duplicate of our Koha production install.
After enabling the ERM module and adding a couple of test licenses, etc. The next time I attempted to login to the staff interface I got an Error 303 “The form submission failed (Wrong CSRF token). Try to come back, refresh the page, then try again.” I have
cleared the cache browser (on all browsers), rebooted the system - no change.
If I login using the OPAC interface and then open a new window to the staff interface, without quiting the browser, it succeeds since I don’t have to login.
All of this behavior occurs regardless of the whether I use Firefox, Chrome, or Safari.
The Apache and Koha logs do not show any problem.
I am an experienced Linux system administrator and developer. I can read and write PERL but don’t consider myself a PERL expert.
Is there a way to turn on more logging, specific things to try?
Any assistance would be greatly appreciated.
_______________________________________________
Koha-devel mailing list
Koha-devel@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
website :
https://www.koha-community.org/
git :
https://git.koha-community.org/
bugs :
https://bugs.koha-community.org/