[Koha-bugs] [Bug 37041] Logging into addbiblio.pl triggers a 403

Mon, 06 Jan 2025 03:04:02 -0800 

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37041

--- Comment #34 from Jonathan Druart <jonathan.dru...@gmail.com> ---
(In reply to Jonathan Druart from comment #33)
> I have a similar bug, but on.... all pages.
> 
> It's not directly related to this bug report, but noting it here.
> 
> diff --git a/Koha/Token.pm b/Koha/Token.pm
> index 4a806b0e371..150c74e69e5 100644
> --- a/Koha/Token.pm
> +++ b/Koha/Token.pm
> @@ -130,7 +130,11 @@ sub generate_csrf {
>      my ( $self, $params ) = @_;
>      return if !$params->{session_id};
>      $params = _add_default_csrf_params( $params );
> -    return $self->generate({ %$params, type => 'CSRF' });
> +    warn "GEN";
> +    use Data::Printer colored => 1; warn p $params;
> +    my $token = $self->generate({ %$params, type => 'CSRF' });
> +    warn $token;
> +    return $token;
>  }
>  
>  =head2 generate_jwt
> @@ -181,6 +185,8 @@ sub check {
>  sub check_csrf {
>      my ( $self, $params ) = @_;
>      return if !$params->{session_id};
> +    warn "CHECK";
> +    use Data::Printer colored => 1; warn p $params;
>      $params = _add_default_csrf_params( $params );
>      my $c = $self->check({ %$params, type => 'CSRF' });
> 
> 
> Hit the mainpage
> 
> session table and cookie have 9abb01d0bceff507f39bdb0f1de11cb0
> GEN
> {
>     id           "anonymous_9abb01d0bceff507f39bdb0f1de11cb0",
>     secret       "X03MO1qnZdYdgyfeuILPmQ",
>     session_id   "9abb01d0bceff507f39bdb0f1de11cb0" (dualvar: 9)
> }
> 41e446085fd0cb1caa56510a83ba699cd94abe81,
> 2ee4a96fd95b06120f683e38f32c749eb5584b2c,1735765447
> 
> fill login form in, submit
> 
> CHECK
> {
>     session_id   "25d62876954877dc50dad7548e3707bb" (dualvar: 25),
>     token       
> "41e446085fd0cb1caa56510a83ba699cd94abe81,
> 2ee4a96fd95b06120f683e38f32c749eb5584b2c,1735765447" (dualvar: Inf)
> }
> wrong_csrf_token
> 
> GEN # New token is generated with another session id as we display again the
> login form
> {
>     id           "anonymous_8e19eed358a168c842d0f1642cc21e52",
>     secret       "X03MO1qnZdYdgyfeuILPmQ",
>     session_id   "8e19eed358a168c842d0f1642cc21e52" (dualvar: 8e+19)
> }
> 
> 3cce1ca26137eb16f04489553adeccd0519a38aa,
> a1e17bfd4720d2e38a37c04cfb5a9a92c8fd4a3f,1735765498
> 
> Session table has 
> 8e19eed358a168c842d0f1642cc21e52
> 9abb01d0bceff507f39bdb0f1de11cb0
> 
> Where is coming from the session's ID from the
> CHECK??25d62876954877dc50dad7548e3707bb
> 
> Cleared all the data from browser's storage, same problem.
> 
> Open a private window fixes the problem.
> 
> I don't have time right now to investigate it more.

For an unknown reason I had the request header's cookie set to "Cookie:
CGISESSID=4a076c38dbe04901e90ef270f88b6a53;
CGISESSID=25d62876954877dc50dad7548e3707bb"
The second value didn't appear in Storage > Cookie

I had to remove the cookies from the browser's settings.

There is certainly a bug in our code, or at least we should catch this problem.

-- 
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

Reply via email to