https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37041
--- Comment #10 from Marcel de Rooy <[email protected]> --- (In reply to Jonathan Druart from comment #9) > There is something fundamentally wrong in the way we handle the session id. > Which leads to this kind of problems. > > Should we consider setting the session id in the L1 (actually in the > userenv) so that we could have access to the current session id. So if a new > one has been generated and is different than the one in the cookie of the > request we can access it easily? > > We would have then: > check_cookie_auth( C4::context->{userenv}->{session_id}, $required_flags ); > and not relying on CGI. > > Another way would be to trick CGI and replace HTTP_COOKIE env var. But this > seems very hacky and certainly not something recommended. Looks easier to remove the newly added CGI in the value_builder scripts and block access in another way (RewriteRule or just move the files?). The original design should not have used scripts here .. The tric with passing another session id feels hacky too? -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
