[Koha-bugs] [Bug 12954] Questionable logic regarding session handling in C4::Auth::checkauth()

bugzilla-daemon at bugs.koha-community.org bugzilla-daemon at bugs.koha-community.org
Sun Jan 18 06:28:23 CET 2015 

http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=12954

Chris Cormack <chris at bigballofwax.co.nz> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #34551|0                           |1
        is obsolete|                            |
  Attachment #34829|0                           |1
        is obsolete|                            |

--- Comment #15 from Chris Cormack <chris at bigballofwax.co.nz> ---
Created attachment 35341
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=35341&action=edit
Bug 12954: Failed login should retain anonymous session

A failed login should not leave the user in a half logged authenticated
state, but rather return them to an anonymouse session as per the
pre-login attempt state.

To replicate error:
1. Try to log in with some nonexisting user id or wrong password in the
   OPAC
2. Go directly to /opac-user.pl (e.g., enter it in the browser address
   bar, or just click on the "Log in" link)
3. Observe a DBI error displayed on the screen
4. You are now in the "deadloop" of sorts (opac/opac-user.pl refuses to
   display the login screen, no matter how many times you try to reload
   it); to break the deadloop, one needs to:
   - remove session cookie from the browser (or cause the session to
     expire in some other way - closing browser window would be probably
     enough for that)
   - remove offending session on the server (from mysql sessions table,
    ..)
   - log in with proper credentials using some other page (like
     opac/opac-main.pl right-side panel), which does not involve
     opac/opac-user.pl being called without "userid" CGI parameter.

To test:
1. Test as above, the DBI error should no longer be present
2. Check that search history works across failed and sucessful login
   attempts

Signed-off-by: Chris Cormack <chris at bigballofwax.co.nz>

-- 
You are receiving this mail because:
You are watching all bug changes.

More information about the Koha-bugs mailing list