https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37060
--- Comment #47 from Jan Kissig <[email protected]> --- (In reply to David Cook from comment #46) > (In reply to Jan Kissig from comment #45) > > (In reply to David Cook from comment #44) > > > (In reply to Jan Kissig from comment #43) > > > > Every time before committing the circulation data to Koha, KOCT sends a > > > > > > > > GET /cgi-bin/koha/svc/authentication > > > > > > > > and retrieves SESSIONID and CSRF-Token from that response. If the > > > > response > > > > is like > > > > > > > > <status>ok > > > > > > > > the circulation data is POSTed to /cgi-bin/koha/offline_circ/service.pl. > > > > > > > > If the response is like > > > > > > > > <status>expired > > > > > > > > a POST /cgi-bin/koha/svc/authentication is made. > > > > > > > > So KOCT checks the auth status every time before sendign data to Koha > > > > but > > > > will re-auth when a session is expired. > > > > > > That sounds slightly problematic. Before doing "POST > > > /cgi-bin/koha/svc/authentication" I think a new "GET > > > /cgi-bin/koha/svc/authentication" will be needed to get a new session, > > > because the old one will have been deleted so the CSRF token for that POST > > > won't work. > > > > you mean a second GET /cgi-bin/koha/svc/authentication when the first GET > > /cgi-bin/koha/svc/authentication returns an 'expired'? > > I think I misunderstood what you said before. I thought you said the > "expired" was coming from the POST to /cgi-bin/koha/offline_circ/service.pl > > I don't know why GET /cgi-bin/koha/svc/authentication would return "expired" > unless a cookie jar was being re-used from a previous interaction. > > I would think the first GET /cgi-bin/koha/svc/authentication would be > <status>failed and then you'd use the Csrf-Token and cookie from there If KOCT is used in the same browser window as Koha, KOCT will use the cookie (and therefore the session) of the logged in Koha user. This alone can be confusing as when running the settings of KOCT a new login is performed and therefore the existing Koha session gets overwritten with the session of the KOCT user. GET /cgi-bin/koha/svc/authentication will only return failed when no cookie is set, otherwise it returns 'expired' or 'ok'. This does not explain why sudden 403s appear. I only managed to get 403s when cookies were forbidden at all and the POST was only carrying the token (not the cookie) I will analyze this a bit more, but is it possible not to have a session when using the /cgi-bin/koha/svc/authentication endpoint? -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
