From 23d3ca374fe2940ba016612f41310b539ce4e0c8 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Thu, 19 Jan 2017 11:46:21 +0100 Subject: [PATCH] Bug 9569: Security patch for AutoLocation If a patron is not allowed to access the staff interface because its IP address in the authorised range of IPs, the cookie should not contain the CGISESSID. If it is, the patron is logged in and will be able to access the staff interface if he reload the page (or hit another one). Test plan: Confirm the that AutoLocation feature is now working as expected. Note: It seems that this feature has never really worked as intended. Signed-off-by: Chris Cormack Signed-off-by: Nick Clemens Signed-off-by: Kyle M Hall (cherry picked from commit 93cc0956a923e94663ae74d1f435604844536571) Signed-off-by: Julian Maurice --- C4/Auth.pm | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/C4/Auth.pm b/C4/Auth.pm index 6823d80411..6b53f00c91 100644 --- a/C4/Auth.pm +++ b/C4/Auth.pm @@ -1083,6 +1083,11 @@ sub checkauth { $domain =~ s|\.\*||g; if ( $ip !~ /^$domain/ ) { $loggedin = 0; + $cookie = $query->cookie( + -name => 'CGISESSID', + -value => '', + -HttpOnly => 1 + ); $info{'wrongip'} = 1; } } -- 2.39.5