git.koha-community.org Git - koha.git/commit

author	Galen Charlton <gmc@esilibrary.com>
	Sun, 20 Oct 2013 17:13:22 +0000 (17:13 +0000)
committer	Tomas Cohen Arazi <tomascohen@gmail.com>
	Wed, 20 Nov 2013 13:57:39 +0000 (10:57 -0300)
commit	52e0b599fd9497dcc228ee5e21a729b4ffdbafb3
tree	61ee41a644a56514b63d832c795d19564e869a30	tree \| snapshot
parent	0e21efd76e3366267ee144b7ca317b855f292f2d	commit \| diff

Bug 10016: force zero browser-side caching of SCO pages

This patch makes the web-based self-check module pages
specify that no browser (or proxy caching) occur at all.
This prevents a security issue where letting the SCO session time out,
then hitting the back button allowed one to view the previous
patron's session.

This patch adds an optional fifth parameter to output_with_http_headers(),
and output_html_with_http_headers(), a hashref for miscellaneous
options.  One key is defined at the moment: force_no_caching, which if
if present and set to a true value, sets HTTP headers to specify no
browser caching of the page at all.

To test:

[1] Start a web-based self-check session and optionally perform
    some transactions.
[2] Allow the session to time out (it may be helpful to set
    SelfCheckTimeout to a low value such as 10 seconds).
[3] Hit the back button.  You should not see the previous patron's
    self-check session.
[4] Verify that prove -v t/Output.t passes.

Signed-off-by: Galen Charlton <gmc@esilibrary.com>
Signed-off-by: Ed Veal <ed.veal@bywatersolutions.com>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
(cherry picked from commit 7b165794cd1875b79177f85db59be42a9708554a)
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>

C4/Output.pm		diff \| blob \| history
opac/sco/sco-main.pl		diff \| blob \| history
t/Output.t		diff \| blob \| history