I think the essential problem is SIP has two levels of authentication. The SIP server level, then the patron level. I think the SIP protocol intends for the SIP client to behave responsibly with the data it gets, but in reality SIP device manufacturers don't seem to try very hard.
For instance, what if we had a system with users that would periodically mine a SIP2 server for data? Let's say it's a university system that needs to know if a student owes the library money and they can't graduate without paying off any money owed to the library. In this case, SIP2 must be able to supply all the data even without knowing the patron's password. As far as I can tell, the SIP2 spec does not intend a bad user password to limit any data, it up to the client to determine what and what not to display given a bad patron password. But, since we can't strong arm SIP2 device manufacturers into using SIP2 properly, we need to deal with this ourselves. Kyle http://www.kylehall.info ByWater Solutions ( http://bywatersolutions.com ) Meadville Public Library ( http://www.meadvillelibrary.org ) Crawford County Federated Library System ( http://www.ccfls.org ) Mill Run Technology Solutions ( http://millruntech.com ) On Wed, Jul 30, 2014 at 10:03 AM, Aaron Sakovich <asakov...@hmcpl.org> wrote: > Hi, > > I'm also concerned about the wealth of other info returned if an invalid > password is provided. I just tried sending a bad password and got the > following info returned from Koha: > > 64 00120140730 > 084016000000000000000000000000AOMAIN|AA21562006551554|AESpunky > Tester|BLY|CQN|CC15.00|BD915 Monroe Street Huntsville AL 35801 Madison| > beaar...@hmcpl.org|PB > > AE: full name > CQ: password verification failed! > BD: street address > BE: email address > > I did not see the AF field returned. However, someone with nefarious > intent could harvest a LOT of patron info from SIP by just randomly (or > sequentially) throwing out guessed library card numbers. Shouldn't the only > thing returned be a CQN? (NB: we're on 3.14) > > Aaron > -- > Aaron Sakovich > Internet and Technology Services manager > Huntsville-Madison County Public Library > http://hmcpl.org/ -- asakov...@hmcpl.org > > > > On Jul 29, 2014, at 10:35 AM, Kyle Hall <kyle.m.h...@gmail.com> wrote: > > > I have an interesting SIP2 implementation issue. When authenticating > > through SIP2, if a valid patron id is passed in, but an *invalid* > password > > is passed in, Koha's SIP2 server send back the AF ( screen message ) > field > > even though the credentials are invalid. If a patron owes any fees, the > > server will send back the amount owed in an AF field. > > > > For instance, Overdrive will display this AF field even with an invalid > > password. Freegal does not ( but it may not display any AF field ). At > > least one SIP2 machine we tested against will also display the AF field > > when an invalid password is submitted. > > > > Is this a Koha issue, or a client side issue? The SIP2 protocol > > specification does not indicate that AF fields should be removed in the > > event of an invalid password. My guess is that some SIP2 server > > implementations may send back "Invalid password" messages which may be > > useful. > > > > Kyle > > > > http://www.kylehall.info > > ByWater Solutions ( http://bywatersolutions.com ) > > Meadville Public Library ( http://www.meadvillelibrary.org ) > > Crawford County Federated Library System ( http://www.ccfls.org ) > > Mill Run Technology Solutions ( http://millruntech.com ) > > _______________________________________________ > > Koha mailing list http://koha-community.org > > Koha@lists.katipo.co.nz > > http://lists.katipo.co.nz/mailman/listinfo/koha > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > _______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz http://lists.katipo.co.nz/mailman/listinfo/koha