https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37041
--- Comment #11 from Jonathan Druart <[email protected]> --- (In reply to Marcel de Rooy from comment #10) > (In reply to Jonathan Druart from comment #9) > > There is something fundamentally wrong in the way we handle the session id. > > Which leads to this kind of problems. > > > > Should we consider setting the session id in the L1 (actually in the > > userenv) so that we could have access to the current session id. So if a new > > one has been generated and is different than the one in the cookie of the > > request we can access it easily? > > > > We would have then: > > check_cookie_auth( C4::context->{userenv}->{session_id}, $required_flags > > ); > > and not relying on CGI. > > > > Another way would be to trick CGI and replace HTTP_COOKIE env var. But this > > seems very hacky and certainly not something recommended. > > Looks easier to remove the newly added CGI in the value_builder scripts and > block access in another way (RewriteRule or just move the files?). Easier maybe but then we have something specific in the apache config we could avoid. I am asking if there is something "better", not "easier" ;) > The original design should not have used scripts here .. Yes, but too late. > The tric with passing another session id feels hacky too? It is not another session id, it is actually the *current* session id! -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
