From ed8a9cff24bdd2d76c925e0db4cab6b920d0be13 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Thu, 27 Jan 2022 12:33:57 +0100 Subject: [PATCH] Bug 29957: Clear cookies on logout Signed-off-by: Martin Renvoize Signed-off-by: Marcel de Rooy Amended: Reverted the change to $cookies to minimize changes. Fixed Auth.t where checkauth is being mocked. Signed-off-by: Nick Clemens Signed-off-by: Martin Renvoize Signed-off-by: Fridolin Somers --- C4/Auth.pm | 32 ++++++++++++++++++++------------ t/db_dependent/Auth.t | 2 +- 2 files changed, 21 insertions(+), 13 deletions(-) diff --git a/C4/Auth.pm b/C4/Auth.pm index 67158a00d0..7f5ebb3a4d 100644 --- a/C4/Auth.pm +++ b/C4/Auth.pm @@ -154,6 +154,7 @@ sub get_template_and_user { my $in = shift; my ( $user, $cookie, $sessionID, $flags ); + $cookie = []; # Get shibboleth login attribute my $shib = C4::Context->config('useshibboleth') && shib_ok(); @@ -243,7 +244,7 @@ sub get_template_and_user { if ($kick_out) { $template = C4::Templates::gettemplate( 'opac-auth.tt', 'opac', $in->{query} ); - $cookie = $in->{query}->cookie( + push @$cookie, $in->{query}->cookie( -name => 'CGISESSID', -value => '', -expires => '', @@ -654,11 +655,7 @@ sub get_template_and_user { # what to do my $language = C4::Languages::getlanguage( $in->{'query'} ); my $languagecookie = C4::Templates::getlanguagecookie( $in->{'query'}, $language ); - if ( ref $cookie eq 'ARRAY' ) { - push @{$cookie}, $languagecookie; - } else { - $cookie = [ $cookie, $languagecookie ]; - } + push @{$cookie}, $languagecookie; } return ( $template, $borrowernumber, $cookie, $flags ); @@ -808,6 +805,15 @@ sub _timeout_syspref { return $timeout; } +sub clear_all_cookies { + my ( $query ) = shift; + my @cookies; + for my $cookie_name ( $query->cookie ) { + push @cookies, $query->cookie( -name => $cookie_name, -value => '', -expires => '', -HttpOnly => 1 ); + } + return \@cookies; +} + sub checkauth { my $query = shift; @@ -844,6 +850,7 @@ sub checkauth { my $loggedin = 0; my %info; my ( $userid, $cookie, $sessionID, $flags ); + $cookie = []; my $logout = $query->param('logout.x'); my $anon_search_history; @@ -867,7 +874,7 @@ sub checkauth { if ( !$shib and defined( $ENV{'REMOTE_USER'} ) and $ENV{'REMOTE_USER'} ne '' and $userid = $ENV{'REMOTE_USER'} ) { # Using Basic Authentication, no cookies required - $cookie = $query->cookie( + push @$cookie, $query->cookie( -name => 'CGISESSID', -value => '', -expires => '', @@ -912,6 +919,7 @@ sub checkauth { my $shibSuccess = C4::Context->userenv->{'shibboleth'}; $session->delete(); $session->flush; + $cookie = clear_all_cookies($query); C4::Context::_unset_userenv($sessionID); $sessionID = undef; @@ -925,7 +933,7 @@ sub checkauth { } } else { - $cookie = $query->cookie( + push @$cookie, $query->cookie( -name => 'CGISESSID', -value => $session->id, -HttpOnly => 1, @@ -969,7 +977,7 @@ sub checkauth { $sessionID = $session->id; C4::Context->_new_userenv($sessionID); - $cookie = $query->cookie( + push @$cookie, $query->cookie( -name => 'CGISESSID', -value => $sessionID, -HttpOnly => 1, @@ -1169,7 +1177,7 @@ sub checkauth { $domain =~ s|\.\*||g; if ( $ip !~ /^$domain/ ) { $loggedin = 0; - $cookie = $query->cookie( + push @$cookie, $query->cookie( -name => 'CGISESSID', -value => '', -HttpOnly => 1, @@ -1257,8 +1265,8 @@ sub checkauth { if ( $loggedin || $authnotrequired ) { # successful login - unless ($cookie) { - $cookie = $query->cookie( + unless (@$cookie) { + push @$cookie, $query->cookie( -name => 'CGISESSID', -value => '', -HttpOnly => 1, diff --git a/t/db_dependent/Auth.t b/t/db_dependent/Auth.t index 8c7f82c666..a6fbc448e3 100755 --- a/t/db_dependent/Auth.t +++ b/t/db_dependent/Auth.t @@ -229,7 +229,7 @@ subtest 'get_template_and_user' => sub { # Tests for the language URL paramete -HttpOnly => 1 ); - return ( $userid, $session_cookie, $sessionID, $flags ); + return ( $userid, [ $session_cookie ], $sessionID, $flags ); } # Mock checkauth, build the scenario -- 2.39.5