https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37041
--- Comment #29 from Jonathan Druart <[email protected]> --- With the session's id available in userenv you don't have to rely on CGI. And with CGI you get the session's id from the cookie which may be obsolete (example here if you are in the middle/after of a login operation). I am not sure what you want me to explain as I am sure you understood all that already. I just thought it was a good opportunity to clean up this area, as the way we handle the session's id lead us to problem like this one. We should certainly try to reach this workflow: - Auth from credential or CGISESSID cookie - Set userenv - Rely on userenv to know if the user is currently authenticated - Add CGISESSID to the response And the value_builder scripts here would return 403 unless C4::Auth::is_authenticated({catalogue => 1}) is_auth would just need to get the patron's id from userenv, if exists it means that the user is authenticated already. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
