[Koha-bugs] [Bug 39206] Koha improperly tries to remove foreign cookies on logout (and in general the cookies aren't actually removed, but set to empty values)

bugzilla-daemon--- via Koha-bugs Fri, 23 May 2025 02:59:32 -0700

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39206


Marcel de Rooy <m.de.r...@rijksmuseum.nl> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
 Attachment #182758|0                           |1
        is obsolete|                            |

--- Comment #9 from Marcel de Rooy <m.de.r...@rijksmuseum.nl> ---
Created attachment 182760
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=182760&action=edit
Bug 39206: Add whitelist to Koha::CookieManager

This patch adds a bit more control to what CookieManager does by
adding a hardcoded whitelist of cookie names that are cleared at
logout. Allowing at the same time to add entries to that list by
using koha-conf <remove_cookie> lines or removing entries from the
hardcoded list by using <do_not_remove_cookie> lines.

The patch fixes the expiration of cookies that should be removed
by passing max-age 0.

Also it adds a theoretical path correction for always_show_holds but
since we do not clear that cookie, it is currently unused. This seems
to be the only Koha cookie where we use a longer path.

Test plan:
Run t/CookieManager.t

Go to OPAC, login, select a few OPAC search results and send them
to cart. This would create cookie bib_list. (Check dev tools.)

Logout from OPAC and check cookie in your browser dev tools. What
you see, depends on the browser. But the cookie should be either
gone or empty and expired (FF: Session).

Now add a <do_not_remove_cookie> line for bib_list in koha-conf.
Restart all. Repeat search, add to cart. Logout. Check again in dev
tools that bib_list is not empty, not expired.

Check out an item. And click on 'Always show checkouts...' on
the patron checkout form. This should create the cookie with
value DO. Logout from intranet. Check that cookie was not affected.
Now add a <remove_cookie> line for the following cookie:
issues-table-load-immediately-circulation. Restart all.
Login and logout from staff again. Check that cookie is empty
and expired, or just gone.

Bonus for devs: Create some custom cookie, and test keeping or
removing it similar as above.

Signed-off-by: Marcel de Rooy <m.de.r...@rijksmuseum.nl>

-- 
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 39206] Koha improperly tries to remove foreign cookies on logout (and in general the cookies aren't actually removed, but set to empty values)

Reply via email to