From f3b90f78f5010aaa9e705026e3db556a40fccaa1 Mon Sep 17 00:00:00 2001 From: Martin Renvoize Date: Tue, 30 Dec 2014 13:54:50 +0000 Subject: [PATCH] Bug 12954: Failed login should retain anonymous session A failed login should not leave the user in a half logged authenticated state, but rather return them to an anonymouse session as per the pre-login attempt state. To replicate error: 1. Try to log in with some nonexisting user id or wrong password in the OPAC 2. Go directly to /opac-user.pl (e.g., enter it in the browser address bar, or just click on the "Log in" link) 3. Observe a DBI error displayed on the screen 4. You are now in the "deadloop" of sorts (opac/opac-user.pl refuses to display the login screen, no matter how many times you try to reload it); to break the deadloop, one needs to: - remove session cookie from the browser (or cause the session to expire in some other way - closing browser window would be probably enough for that) - remove offending session on the server (from mysql sessions table, ..) - log in with proper credentials using some other page (like opac/opac-main.pl right-side panel), which does not involve opac/opac-user.pl being called without "userid" CGI parameter. To test: 1. Test as above, the DBI error should no longer be present 2. Check that search history works across failed and sucessful login attempts Signed-off-by: Chris Cormack Signed-off-by: Jonathan Druart Signed-off-by: Tomas Cohen Arazi (cherry picked from commit 229a3b329c9fbe1567a9cd0796dce7ddf1aca781) Signed-off-by: Chris Cormack --- C4/Auth.pm | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/C4/Auth.pm b/C4/Auth.pm index e11fa249e8..3cb7f7e030 100644 --- a/C4/Auth.pm +++ b/C4/Auth.pm @@ -966,7 +966,10 @@ sub checkauth { checkpw( $dbh, $userid, $password, $query ); $userid = $retuserid if ($retuserid); $info{'invalid_username_or_password'} = 1 unless ($return); - } } + } + } + + # $return: 1 = valid user, 2 = superlibrarian if ($return) { #_session_log(sprintf "%20s from %16s logged in at %30s.\n", $userid,$ENV{'REMOTE_ADDR'},(strftime '%c', localtime)); @@ -1090,13 +1093,17 @@ sub checkauth { ); } + # $return: 0 = invalid user + # reset to anonymous session else { + $debug and warn "Login failed, resetting anonymous session..."; if ($userid) { $info{'invalid_username_or_password'} = 1; C4::Context->_unset_userenv($sessionID); } $session->param( 'lasttime', time() ); $session->param( 'ip', $session->remote_addr() ); + $session->param( 'sessiontype', 'anon' ); } } # END if ( $userid = $query->param('userid') ) elsif ( $type eq "opac" ) { -- 2.39.5