Mystery solved. I had the OPAC site in my LastPass password manager with the "auto-login" option set. Every time I visited the OPAC site, Lastpass would provide the login credentials in the POST. Koha acted on those credentials even though we had marked user logins disabled. This is probably a bug. If user logins are disabled, proffered credentials should be ignored. I'll file a bug if more knowledgeable developers concur with this assessment. -Doug- On Tue, Feb 4, 2014 at 9:19 AM, Elaine Bradtke <eb@efdss.org> wrote:
The URLs are different. It looks to me as if it has something to do with an auto login feature outside of Koha, but as we've been up to our eyeballs in meetings and etc. we haven't had a chance to look any further. I can confirm that no one else on the staff has experienced this. It seems to only happen on Doug's computer, I've seen it with my own eyes, so it must be something he has set up there. Very odd. . . I expect the chances of anyone else replicating this is pretty slim if I can't do it. But I would like to know why it's happening, just in case there's a vulnerability in Koha. Elaine
On Mon, Feb 3, 2014 at 9:37 PM, Robin Sheat <robin@catalyst.net.nz> wrote:
Elaine Bradtke schreef op ma 03-02-2014 om 21:12 [+0000]:
But How is Koha logging him in when the user login is disabled in the OPAC altogether?
Are the URLs of the OPAC and the staff client the same, but on a different port? If so, they will share cookies and sessions, so if you are logged into the staff client, you are logged in to the OPAC. It possibly doesn't quite know how to handle that when logins are turned off.
If the URLs are different, then I haven't helped :)
-- Robin Sheat Catalyst IT Ltd. ✆ +64 4 803 2204 GPG: 5FA7 4B49 1E4D CAA4 4C38 8505 77F5 B724 F871 3BDF
_______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz http://lists.katipo.co.nz/mailman/listinfo/koha
-- Elaine Bradtke Data Wrangler VWML English Folk Dance and Song Society | http://www.efdss.org Cecil Sharp House, 2 Regent's Park Road, London NW1 7AY Tel +44 (0) 20 7485 2206 (This number is for the English Folk Dance and Song Society in London, England. If you wish to phone me personally, send an e-mail first. I work off site) -------------------------------------------------------------------------- Registered Company No. 297142 Charity Registered in England and Wales No. 305999 --------------------------------------------------------------------------- "Writing about music is like dancing about architecture" --Elvis Costello (Musician magazine No. 60 (October 1983), p. 52) _______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz http://lists.katipo.co.nz/mailman/listinfo/koha