Nick Clemens
e758492d99
This patch simply generates a new user agent when reauthenticating when the CSRF token
for the session has expired.
To test:
1 - Edit Koha/Token.pm, line 275
from: { MaxAge => $params->{MaxAge} // ( CSRF_EXPIRY_HOURS * 3600 ) },
to: { MaxAge => $params->{MaxAge} // ( CSRF_EXPIRY_HOURS ) },
2 - This will make your CSRF tokens expire after 8 seconds
3 - vim /etc/koha/sites/kohadev/connexion.cnf
4 - Set content:
host:
port: 8888
koha:http://localhost:8081
log:/var/log/koha/kohadev/connexion.log
match:ISBN
user:kohauser
password:kohapass
overlay_action:replace
nomatch_action:create_new
item_action:always_add
import_mode:direct
framework:BKS
overlay_framework:
debug:1
5 - Save the sample file from this bug into your kohaclone (or copy and paste into a file your koha test site can reach)
6 - On the command line:
perl misc/bin/connexion_import_daemon.pl -c /etc/koha/sites/kohadev/connexion.cnf
7 - In another terminal:
cat bug_33418.test | nc -v localhost 8888
8 - Successful request
9 - Wait 10 seconds (more than 8 anyways)
10 - Repeat 7
11 - Unsuccessful request - Invalid CSRF token
12 - Ctrl+C to stop the connexion daemon
13 - Apply patch
14 - repeat 6
15 - repeat 7, success
16 - Wait more than 8 seconds
17 - repeat 7, success!
18 - repeat again until you are satisfied
19 - Sign off!
WNC amended and tidied
Signed-off-by: Brendan Lawlor <blawlor@clamsnet.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
|
||
|---|---|---|
| .. | ||
| clear_cache.pl | ||
| connexion_import_daemon.pl | ||
| koha-zebra-ctl.sh | ||
| sip_run.sh | ||
| sip_shutdown.sh | ||