https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37060
--- Comment #48 from David Cook <[email protected]> --- (In reply to Jan Kissig from comment #47) > If KOCT is used in the same browser window as Koha, KOCT will use the cookie > (and therefore the session) of the logged in Koha user. > This alone can be confusing as when running the settings of KOCT a new login > is performed and therefore the existing Koha session gets overwritten with > the session of the KOCT user. Could you explain this one a bit more? I haven't used KOCT before so I don't know much about it. What's the KOCT user? Overall, it sounds like using the REST API would be better than using offline_circ/service.pl although that would just delay resolving the cookie auth issue. This reminds me of a different bug where someone talked about having the cookie path be more specific than /. Hmm food for thought... > GET /cgi-bin/koha/svc/authentication will only return failed when no cookie > is set, otherwise it returns 'expired' or 'ok'. > > This does not explain why sudden 403s appear. I only managed to get 403s > when cookies were forbidden at all and the POST was only carrying the token > (not the cookie) No cookie? I wonder how it had a token but no cookie... What do you mean by "when cookies were forbidden at all"? > I will analyze this a bit more, but is it possible not to have a session > when using the /cgi-bin/koha/svc/authentication endpoint? Only for GETs. POSTs have to have a session and a CSRF token. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
