https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38327
--- Comment #10 from Jan Kissig <[email protected]> --- (In reply to David Cook from comment #9) > Btw which AJAX call were you making? We might want to fix that endpoint to > not send back a cookie. > > I think that there might be a bug report where we talked about that topic > specifically... on an private window with cookies deleted I opened(In reply to David Cook from comment #8) > (In reply to Jan Kissig from comment #7) > > I have to correct my last comment: I had an AJAX call included via > > intranetuserjs on mainpage which fetched an internal report on > > $(document).ready(). > > > > When I disabled the fetch of the report the recreation of the behavior was > > not possible. So it seems connected to the AJAX-call after the DOM was > > built. > > This has already been discussed somewhere... > > When Koha rendered mainpage.pl, it would've sent you CGISESSID cookie with > an anonymous session ID and it rendered the page with a CSRF token linked to > that session ID. > > When your AJAX call made a call, it probably didn't send that CGISESSID > cookie. > > When your AJAX call gets a response, it probably includes a new CGISESSID > cookie with a new anonymous session ID, which overwrites the original > CGISESSID cookie. > > When you submit your login, you're using the new CGISESSID cookie and the > CSRF token linked to the old CGISESSID cookie. > > So it'll never work. > > -- > > If you update your AJAX call to send with the CGISESSID cookie, you should > be fine. I took a look at the network requests: On a pivate window I opened my bookmark to /cgi-bin/koha/mainpage.pl it returned a cookie with CGISESSID 67cd... the fetch on document.ready to /cgi-bin/koha/svc/report?id=9 used this cookie (67cd...) in the request but got a new CGISESSID 0bc5... Now I enter the login and submit the page which uses 0bc5... I understand why CSRF-check is failing here as the login-form is linked to the first session 67cd The problem is that the fetch, although it used the given session id, got a new in response which replaced the original. I solved it by only sending the fetch if the login was successful -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
