https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29543
--- Comment #55 from Jonathan Druart <[email protected]> --- (In reply to Marcel de Rooy from comment #50) > Question when looking in sco-main > > my $jwt = $query->cookie('JWT'); > if ($op eq "logout") { > $template->param( loggedout => 1 ); > $query->param( patronlogin => undef, patronpw => undef ); > undef $jwt; > } > > Shouldnt we do some cleaning up here and just exit ? exit and what? Here we are going to display the login form, that's the expected behaviour (In reply to Marcel de Rooy from comment #51) > Hmm. Why are we doing this in sco-main: > > L47 > my ( $template, $loggedinuser, $cookie ) = get_template_and_user( > So the CGISESSID cookie is used here and we check permissions. We check authentication for the staff member (who has logged in, or the credential from the sysprefs) > L371 > $cookie = $query->cookie( -name => 'JWT', > We create a new cookie JWT. But ignore the session cookie. The JWT is used to authorised the OPAC user that has been authenticate in the previous step (cardnumber or login+password, depending on SelfCheckoutByLogin. > L381 > output_html_with_http_headers $query, $cookie, $template->output, undef, { > force_no_caching => 1 }; > We output now without the CGISESSID, only JWT. > Why dont you pass the session cookie? > You could pass something like [ $cookie1, $cookie2 ] ? I think CGISESSID is in the CGI object already. (In reply to Marcel de Rooy from comment #52) > L362 > csrf_token => Koha::Token->new->generate_csrf( { > session_id => scalar $query->cookie('CGISESSID') . $patron->cardnumber, id > => $patron->userid } ), > > Where is the corresponding csrf check? in sco-patron-image.pl (In reply to Marcel de Rooy from comment #53) > Iiuc JWT is not encrypted. So this may be a bit more secure, but could be > improved. It is encoded using a secret, see Koha::Token::_gen_jwt -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
