https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39206
--- Comment #8 from Marcel de Rooy <m.de.r...@rijksmuseum.nl> --- (In reply to MichaĆ from comment #0) > Okay some short summary TLDR: > Koha tries to "remove" a cookie by setting it to an empty value, but it > fails in that: > - no Max-Age=0 is set, meaning a cookie with empty value is created instead, > indefinitely (possibly a new redundant one, as in next point) Good point. Fixed in this patch set. > - no Path or Domain are passed, meaning that the cookies with these set to > non-default values will not be cleared out (and a new empty cookie will be > created instead, without touching the cookies that we want to remove) > - different Domain is expected to NOT be cleared out, as that's another > site than Koha and we cannot interfere with that > - different Path is within Koha subdomain, so not clearing it is > problematic in regards to something like Bug 29956 The patch now uses a whitelist that can be refined with entries from koha-conf. So should no longer touch other ones. Path defaults to /. No domain means current host. There seems to be only one HttpOnly cookie with a longer path in Koha. If there is a cookie with another path than expected, this patch cannot remove it since the Cookie header line only contains names and values. So we just dont know. But that seems to be a more theoretical issue. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
