[Koha-bugs] [Bug 12954] Questionable logic regarding session handling in C4::Auth::checkauth()
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Tue Dec 30 15:12:27 CET 2014
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=12954
--- Comment #9 from Martin Renvoize <martin.renvoize at ptfs-europe.com> ---
Created attachment 34829
-->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=34829&action=edit
Bug 12954: Failed login should retain anonymous session
A failed login should not leave the user in a half logged authenticated
state, but rather return them to an anonymouse session as per the
pre-login attempt state.
To replicate error:
1. Try to log in with some nonexisting user id or wrong password in the
OPAC
2. Go directly to /opac-user.pl (e.g., enter it in the browser address
bar, or just click on the "Log in" link)
3. Observe a DBI error displayed on the screen
4. You are now in the "deadloop" of sorts (opac/opac-user.pl refuses to
display the login screen, no matter how many times you try to reload
it); to break the deadloop, one needs to:
- remove session cookie from the browser (or cause the session to
expire in some other way - closing browser window would be probably
enough for that)
- remove offending session on the server (from mysql sessions table,
..)
- log in with proper credentials using some other page (like
opac/opac-main.pl right-side panel), which does not involve
opac/opac-user.pl being called without "userid" CGI parameter.
To test:
1. Test as above, the DBI error should no longer be present
2. Check that search history works across failed and sucessful login
attempts
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list