Re: [Koha] [Koha-devel] SIP2 AF field sent even if patron password is invalid

[Marc Véron]

+1
Marc

Am 30.07.2014 22:02, schrieb Katrin Fischer:
 Am 29.07.2014 um 17:55 schrieb Galen Charlton:
 That leaves open the question about what to do with other fields,
 particularly in the patron information response.  My feeling is that
 we should be conservative: if a patron password is sent via patron
 status or patron information requests, and it's wrong, no information
 about the patron should be returned.  There may need to be a
 configuration option controlling this behavior.
 +1

 Katrin
 ___
 Koha mailing list  http://koha-community.org
 Koha@lists.katipo.co.nz
 http://lists.katipo.co.nz/mailman/listinfo/koha


___
Koha mailing list  http://koha-community.org
Koha@lists.katipo.co.nz
http://lists.katipo.co.nz/mailman/listinfo/koha

Re: [Koha] [Koha-devel] SIP2 AF field sent even if patron password is invalid

[Katrin Fischer]

Am 29.07.2014 um 17:55 schrieb Galen Charlton:
 That leaves open the question about what to do with other fields,
 particularly in the patron information response.  My feeling is that
 we should be conservative: if a patron password is sent via patron
 status or patron information requests, and it's wrong, no information
 about the patron should be returned.  There may need to be a
 configuration option controlling this behavior.

+1

Katrin
___
Koha mailing list  http://koha-community.org
Koha@lists.katipo.co.nz
http://lists.katipo.co.nz/mailman/listinfo/koha

Re: [Koha] [Koha-devel] SIP2 AF field sent even if patron password is invalid

[Galen Charlton]

Hi,

On Tue, Jul 29, 2014 at 8:35 AM, Kyle Hall kyle.m.h...@gmail.com wrote:
 I have an interesting SIP2 implementation issue. When authenticating through
 SIP2, if a valid patron id is passed in, but an *invalid* password is passed
 in, Koha's SIP2 server send back the AF ( screen message ) field even though
 the credentials are invalid. If a patron owes any fees, the server will send
 back the amount owed in an AF field.

Sadly, it looks like the only provision that the SIP2 specification
makes for dealing with an invalid patron password is to set the CQ
field.  My reading of the spec is that the expected behavior regarding
other fields in the patron status and patron information responses is
undefined when an incorrect password is supplied.

 For instance, Overdrive will display this AF field even with an invalid
 password. Freegal does not ( but it may not display any AF field ). At least
 one SIP2 machine we tested against will also display the AF field when an
 invalid password is submitted.

 Is this a Koha issue, or a client side issue? The SIP2 protocol
 specification does not indicate that AF fields should be removed in the
 event of an invalid password. My guess is that some SIP2 server
 implementations may send back Invalid password messages which may be
 useful.

Possibly.  In any event, I think we should either not send an AF, or
send one that contains something like Invalid password if the patron
password is wrong.

That leaves open the question about what to do with other fields,
particularly in the patron information response.  My feeling is that
we should be conservative: if a patron password is sent via patron
status or patron information requests, and it's wrong, no information
about the patron should be returned.  There may need to be a
configuration option controlling this behavior.

Regards,

Galen
-- 
Galen Charlton
Manager of Implementation
Equinox Software, Inc. / The Open Source Experts
email:  g...@esilibrary.com
direct: +1 770-709-5581
cell:   +1 404-984-4366
skype:  gmcharlt
web:http://www.esilibrary.com/
Supporting Koha and Evergreen: http://koha-community.org 
http://evergreen-ils.org
___
Koha mailing list  http://koha-community.org
Koha@lists.katipo.co.nz
http://lists.katipo.co.nz/mailman/listinfo/koha