https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38327
David Cook <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=36514 --- Comment #4 from David Cook <[email protected]> --- When I heard about this one on Mattermost, I was thinking about bug 36586 In this case... it is probably related to bug 36514. Because if you're kicked out of Koha without a new anonymous session, you won't have a valid session, and thus won't be able to generate a valid CSRF token, so you'll get that 403 error. -- Looking at check_cookie_auth in C4::Auth, I can see the following: 1846 if ( !$lasttime || ( $lasttime < time() - $timeout ) ) { 1847 # time out 1848 $session->delete(); 1849 $session->flush; 1850 return ("expired", undef); I reckon that's the problem you're describing here. -- There's probably a bunch of places where we delete the session instead of removing the authenticated session and replacing with an anonymous session. But... needs more investigating. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
