Hi, On Tue, Jul 29, 2014 at 8:35 AM, Kyle Hall <kyle.m.h...@gmail.com> wrote: > I have an interesting SIP2 implementation issue. When authenticating through > SIP2, if a valid patron id is passed in, but an *invalid* password is passed > in, Koha's SIP2 server send back the AF ( screen message ) field even though > the credentials are invalid. If a patron owes any fees, the server will send > back the amount owed in an AF field.
Sadly, it looks like the only provision that the SIP2 specification makes for dealing with an invalid patron password is to set the CQ field. My reading of the spec is that the expected behavior regarding other fields in the patron status and patron information responses is undefined when an incorrect password is supplied. > For instance, Overdrive will display this AF field even with an invalid > password. Freegal does not ( but it may not display any AF field ). At least > one SIP2 machine we tested against will also display the AF field when an > invalid password is submitted. > > Is this a Koha issue, or a client side issue? The SIP2 protocol > specification does not indicate that AF fields should be removed in the > event of an invalid password. My guess is that some SIP2 server > implementations may send back "Invalid password" messages which may be > useful. Possibly. In any event, I think we should either not send an AF, or send one that contains something like "Invalid password" if the patron password is wrong. That leaves open the question about what to do with other fields, particularly in the patron information response. My feeling is that we should be conservative: if a patron password is sent via patron status or patron information requests, and it's wrong, no information about the patron should be returned. There may need to be a configuration option controlling this behavior. Regards, Galen -- Galen Charlton Manager of Implementation Equinox Software, Inc. / The Open Source Experts email: g...@esilibrary.com direct: +1 770-709-5581 cell: +1 404-984-4366 skype: gmcharlt web: http://www.esilibrary.com/ Supporting Koha and Evergreen: http://koha-community.org & http://evergreen-ils.org _______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz http://lists.katipo.co.nz/mailman/listinfo/koha