https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37060
--- Comment #49 from Jan Kissig <[email protected]> --- (In reply to David Cook from comment #48) > (In reply to Jan Kissig from comment #47) > > If KOCT is used in the same browser window as Koha, KOCT will use the cookie > > (and therefore the session) of the logged in Koha user. > > This alone can be confusing as when running the settings of KOCT a new login > > is performed and therefore the existing Koha session gets overwritten with > > the session of the KOCT user. > > Could you explain this one a bit more? > > I haven't used KOCT before so I don't know much about it. What's the KOCT > user? KOCT takes a staff users credentials to login to Koha. You have to set them in the settings of KOCT. If you want to test (firefox only), its easy to install via https://addons.mozilla.org/en/firefox/addon/koct/ and you can watch the http requests via development tools. > Overall, it sounds like using the REST API would be better than using > offline_circ/service.pl although that would just delay resolving the cookie > auth issue. This would require to have offline circulation available in the REST API which is not the case yet.. > This reminds me of a different bug where someone talked about having the > cookie path be more specific than /. > > Hmm food for thought... > > > GET /cgi-bin/koha/svc/authentication will only return failed when no cookie > > is set, otherwise it returns 'expired' or 'ok'. > > > > This does not explain why sudden 403s appear. I only managed to get 403s > > when cookies were forbidden at all and the POST was only carrying the token > > (not the cookie) > > No cookie? I wonder how it had a token but no cookie... > > What do you mean by "when cookies were forbidden at all"? This was achieved by setting the strictest cookie setting in my Firefox, which breaks nearly every web app. > > I will analyze this a bit more, but is it possible not to have a session > > when using the /cgi-bin/koha/svc/authentication endpoint? > > Only for GETs. POSTs have to have a session and a CSRF token. Maybe we should find out if libraries use KOCT and also have received the 'wrong CSRF-token' issue as in my test it never occurred. I will ask on mattermost -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
