Bug 10016: force zero browser-side caching of SCO pages
This patch makes the web-based self-check module pages
specify that no browser (or proxy caching) occur at all.
This prevents a security issue where letting the SCO session time out,
then hitting the back button allowed one to view the previous
patron's session.
This patch adds an optional fifth parameter to output_with_http_headers(),
and output_html_with_http_headers(), a hashref for miscellaneous
options. One key is defined at the moment: force_no_caching, which if
if present and set to a true value, sets HTTP headers to specify no
browser caching of the page at all.
To test:
[1] Start a web-based self-check session and optionally perform
some transactions.
[2] Allow the session to time out (it may be helpful to set
SelfCheckTimeout to a low value such as 10 seconds).
[3] Hit the back button. You should not see the previous patron's
self-check session.
[4] Verify that prove -v t/Output.t passes.
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
Signed-off-by: Ed Veal <ed.veal@bywatersolutions.com>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
projects / koha.git / commit