https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38327
--- Comment #12 from David Cook <dc...@prosentient.com.au> --- (In reply to Jan Kissig from comment #10) > I took a look at the network requests: > On a pivate window I opened my bookmark to /cgi-bin/koha/mainpage.pl > it returned a cookie with CGISESSID 67cd... > the fetch on document.ready to /cgi-bin/koha/svc/report?id=9 used this > cookie (67cd...) in the request but got a new CGISESSID 0bc5... > > Now I enter the login and submit the page which uses 0bc5... > > I understand why CSRF-check is failing here as the login-form is linked to > the first session 67cd > > The problem is that the fetch, although it used the given session id, got a > new in response which replaced the original. > > I solved it by only sending the fetch if the login was successful Alternatively, you can send the cookie provided by /cgi-bin/koha/mainpage.pl to the endpoint /cgi-bin/koha/svc/report?id=9 I don't know how your Javascript is written, but do some googling around for things like: const xhr = new XMLHttpRequest(); xhr.withCredentials = true; With fetch, set the "credentials" option to "same-origin" or "include" (depending on your situation). With $.ajax, set xhrFields with "withCredentials: true". I think you probably get my point here. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes. _______________________________________________ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
