From b1165761d8536263cefaa85b1c001a1b76992321 Mon Sep 17 00:00:00 2001
From: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Date: Thu, 19 Jan 2017 11:46:21 +0100
Subject: [PATCH] Bug 9569: Security patch for AutoLocation

If a patron is not allowed to access the staff interface because its IP
address in the authorised range of IPs, the cookie should not contain
the CGISESSID.
If it is, the patron is logged in and will be able to access the staff
interface if he reload the page (or hit another one).

Test plan:
Confirm the that AutoLocation feature is now working as expected.

Note: It seems that this feature has never really worked as intended.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 93cc0956a923e94663ae74d1f435604844536571)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
---
 C4/Auth.pm | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/C4/Auth.pm b/C4/Auth.pm
index b532c8a5fd..d22cc5a45f 100644
--- a/C4/Auth.pm
+++ b/C4/Auth.pm
@@ -1087,6 +1087,11 @@ sub checkauth {
                         $domain =~ s|\.\*||g;
                         if ( $ip !~ /^$domain/ ) {
                             $loggedin = 0;
+                            $cookie = $query->cookie(
+                                -name     => 'CGISESSID',
+                                -value    => '',
+                                -HttpOnly => 1
+                            );
                             $info{'wrongip'} = 1;
                         }
                     }
-- 
2.39.5