Unexpected behavior in 3.14 bootstrap OPAC User login
A mystery: We recently implemented the bootstrap OPAC theme in our production site and updated the system to 3.14.2. The IT half of the team (Doug Kingston) mentioned that since we started using bootstrap he is sent to an unexpected screen in the OPAC. The home screen is the same, but after a very short pause he is sent to a screen that says Welcome Doug Kingston. We have user logins disabled on the OPAC, and he never saw the login box, it just did it automatically and invisibly (he was logged into the Admin. site at the time). But that's not the only mystery. It only happens to him, not to me. We both have Superlibrarian status, we're running the same OS (X 10.9.1) on our nearly identical laptops, we're using the same browser (Chrome). . . I thought it might be because I have DoNotTrackMe running in my browser. But I tested it on another instance of Chrome without DoNotTrackMe running (on a virtual machine running XP) and it still doesn't log me into the OPAC. I also tried it on Firefox, but in either case I can't get it to replicate what it does for Doug. He suspects it has something to do with cookies, but hasn't had a chance to delve any deeper into the problem other than to verify that it doesn't happen in an incognito window. Another variable may be auto login features in Chrome and LastPass. If Doug turns off LastPass, the auto login stops (though it never happens on my computer in either browser with LastPass turned on). The library staff has gone home for the day, so I don't know if any of them has noticed this quirk. The response to the new theme has been otherwise quite positive. I'm tempted to take the precaution of switching the theme back to prog, on the extremely remote chance that there's an underlying security issue somewhere. Thoughts, comments, has anyone else seen this happen? -- Elaine Bradtke Data Wrangler VWML English Folk Dance and Song Society | http://www.efdss.org Cecil Sharp House, 2 Regent's Park Road, London NW1 7AY Tel +44 (0) 20 7485 2206 (This number is for the English Folk Dance and Song Society in London, England. If you wish to phone me personally, send an e-mail first. I work off site) -------------------------------------------------------------------------- Registered Company No. 297142 Charity Registered in England and Wales No. 305999 --------------------------------------------------------------------------- "Writing about music is like dancing about architecture" --Elvis Costello (Musician magazine No. 60 (October 1983), p. 52)
If Doug turns off LastPass, the auto login stops (though it never happens on my computer in either browser with LastPass turned on).
Maybe a configuration difference in LastPass? -- Owen -- Web Developer Athens County Public Libraries http://www.myacpl.org
That's my best guess too Owen. But How is Koha logging him in when the user login is disabled in the OPAC altogether? As far as I know LastPass only does an auto login when there are actual fields requesting login data. I think there's something going on between the two but it's going to take someone with more technical knowhow to figure it out. On Mon, Feb 3, 2014 at 6:58 PM, Owen Leonard <oleonard@myacpl.org> wrote:
If Doug turns off LastPass, the auto login stops (though it never happens on my computer in either browser with LastPass turned on).
Maybe a configuration difference in LastPass?
-- Owen
-- Web Developer Athens County Public Libraries http://www.myacpl.org _______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz http://lists.katipo.co.nz/mailman/listinfo/koha
-- Elaine Bradtke Data Wrangler VWML English Folk Dance and Song Society | http://www.efdss.org Cecil Sharp House, 2 Regent's Park Road, London NW1 7AY Tel +44 (0) 20 7485 2206 (This number is for the English Folk Dance and Song Society in London, England. If you wish to phone me personally, send an e-mail first. I work off site) -------------------------------------------------------------------------- Registered Company No. 297142 Charity Registered in England and Wales No. 305999 --------------------------------------------------------------------------- "Writing about music is like dancing about architecture" --Elvis Costello (Musician magazine No. 60 (October 1983), p. 52)
Elaine Bradtke schreef op ma 03-02-2014 om 21:12 [+0000]:
But How is Koha logging him in when the user login is disabled in the OPAC altogether?
Are the URLs of the OPAC and the staff client the same, but on a different port? If so, they will share cookies and sessions, so if you are logged into the staff client, you are logged in to the OPAC. It possibly doesn't quite know how to handle that when logins are turned off. If the URLs are different, then I haven't helped :) -- Robin Sheat Catalyst IT Ltd. ✆ +64 4 803 2204 GPG: 5FA7 4B49 1E4D CAA4 4C38 8505 77F5 B724 F871 3BDF
The URLs are different. It looks to me as if it has something to do with an auto login feature outside of Koha, but as we've been up to our eyeballs in meetings and etc. we haven't had a chance to look any further. I can confirm that no one else on the staff has experienced this. It seems to only happen on Doug's computer, I've seen it with my own eyes, so it must be something he has set up there. Very odd. . . I expect the chances of anyone else replicating this is pretty slim if I can't do it. But I would like to know why it's happening, just in case there's a vulnerability in Koha. Elaine On Mon, Feb 3, 2014 at 9:37 PM, Robin Sheat <robin@catalyst.net.nz> wrote:
Elaine Bradtke schreef op ma 03-02-2014 om 21:12 [+0000]:
But How is Koha logging him in when the user login is disabled in the OPAC altogether?
Are the URLs of the OPAC and the staff client the same, but on a different port? If so, they will share cookies and sessions, so if you are logged into the staff client, you are logged in to the OPAC. It possibly doesn't quite know how to handle that when logins are turned off.
If the URLs are different, then I haven't helped :)
-- Robin Sheat Catalyst IT Ltd. ✆ +64 4 803 2204 GPG: 5FA7 4B49 1E4D CAA4 4C38 8505 77F5 B724 F871 3BDF
_______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz http://lists.katipo.co.nz/mailman/listinfo/koha
-- Elaine Bradtke Data Wrangler VWML English Folk Dance and Song Society | http://www.efdss.org Cecil Sharp House, 2 Regent's Park Road, London NW1 7AY Tel +44 (0) 20 7485 2206 (This number is for the English Folk Dance and Song Society in London, England. If you wish to phone me personally, send an e-mail first. I work off site) -------------------------------------------------------------------------- Registered Company No. 297142 Charity Registered in England and Wales No. 305999 --------------------------------------------------------------------------- "Writing about music is like dancing about architecture" --Elvis Costello (Musician magazine No. 60 (October 1983), p. 52)
Mystery solved. I had the OPAC site in my LastPass password manager with the "auto-login" option set. Every time I visited the OPAC site, Lastpass would provide the login credentials in the POST. Koha acted on those credentials even though we had marked user logins disabled. This is probably a bug. If user logins are disabled, proffered credentials should be ignored. I'll file a bug if more knowledgeable developers concur with this assessment. -Doug- On Tue, Feb 4, 2014 at 9:19 AM, Elaine Bradtke <eb@efdss.org> wrote:
The URLs are different. It looks to me as if it has something to do with an auto login feature outside of Koha, but as we've been up to our eyeballs in meetings and etc. we haven't had a chance to look any further. I can confirm that no one else on the staff has experienced this. It seems to only happen on Doug's computer, I've seen it with my own eyes, so it must be something he has set up there. Very odd. . . I expect the chances of anyone else replicating this is pretty slim if I can't do it. But I would like to know why it's happening, just in case there's a vulnerability in Koha. Elaine
On Mon, Feb 3, 2014 at 9:37 PM, Robin Sheat <robin@catalyst.net.nz> wrote:
Elaine Bradtke schreef op ma 03-02-2014 om 21:12 [+0000]:
But How is Koha logging him in when the user login is disabled in the OPAC altogether?
Are the URLs of the OPAC and the staff client the same, but on a different port? If so, they will share cookies and sessions, so if you are logged into the staff client, you are logged in to the OPAC. It possibly doesn't quite know how to handle that when logins are turned off.
If the URLs are different, then I haven't helped :)
-- Robin Sheat Catalyst IT Ltd. ✆ +64 4 803 2204 GPG: 5FA7 4B49 1E4D CAA4 4C38 8505 77F5 B724 F871 3BDF
_______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz http://lists.katipo.co.nz/mailman/listinfo/koha
-- Elaine Bradtke Data Wrangler VWML English Folk Dance and Song Society | http://www.efdss.org Cecil Sharp House, 2 Regent's Park Road, London NW1 7AY Tel +44 (0) 20 7485 2206 (This number is for the English Folk Dance and Song Society in London, England. If you wish to phone me personally, send an e-mail first. I work off site) -------------------------------------------------------------------------- Registered Company No. 297142 Charity Registered in England and Wales No. 305999 --------------------------------------------------------------------------- "Writing about music is like dancing about architecture" --Elvis Costello (Musician magazine No. 60 (October 1983), p. 52) _______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz http://lists.katipo.co.nz/mailman/listinfo/koha
participants (4)
-
Doug Kingston -
Elaine Bradtke -
Owen Leonard -
Robin Sheat