[Koha] Unexpected behavior in 3.14 bootstrap OPAC User login

Sun Feb 9 15:57:24 NZDT 2014

Mystery solved.

I had the OPAC site in my LastPass password manager with the "auto-login"
option set.
Every time I visited the OPAC site, Lastpass would provide the login
credentials in the POST.  Koha acted on those credentials even though we
had marked user logins disabled.  This is probably a bug.  If user logins
are disabled, proffered credentials should be ignored.  I'll file a bug if
more knowledgeable developers concur with this assessment.

-Doug-

On Tue, Feb 4, 2014 at 9:19 AM, Elaine Bradtke <eb at efdss.org> wrote:

> The URLs are different.  It looks to me as if it has something to do with
> an auto login feature outside of Koha, but as we've been up to our eyeballs
> in meetings and etc. we haven't had a chance to look any further.  I can
> confirm that no one else on the staff has experienced this.  It seems to
> only happen on Doug's computer, I've seen it with my own eyes, so it must
> be something he has set up there.  Very odd. . .
> I expect the chances of anyone else replicating this is pretty slim if I
> can't do it. But I would like to know why it's happening, just in case
> there's a vulnerability in Koha.
> Elaine
>
>
> On Mon, Feb 3, 2014 at 9:37 PM, Robin Sheat <robin at catalyst.net.nz> wrote:
>
> > Elaine Bradtke schreef op ma 03-02-2014 om 21:12 [+0000]:
> > > But How is Koha logging him in when the user
> > > login is disabled in the OPAC altogether?
> >
> > Are the URLs of the OPAC and the staff client the same, but on a
> > different port? If so, they will share cookies and sessions, so if you
> > are logged into the staff client, you are logged in to the OPAC. It
> > possibly doesn't quite know how to handle that when logins are turned
> > off.
> >
> > If the URLs are different, then I haven't helped :)
> >
> > --
> > Robin Sheat
> > Catalyst IT Ltd.
> > ✆ +64 4 803 2204
> > GPG: 5FA7 4B49 1E4D CAA4 4C38  8505 77F5 B724 F871 3BDF
> >
> > _______________________________________________
> > Koha mailing list  http://koha-community.org
> > Koha at lists.katipo.co.nz
> > http://lists.katipo.co.nz/mailman/listinfo/koha
> >
>
>
>
> --
> Elaine Bradtke
> Data Wrangler
> VWML
> English Folk Dance and Song Society | http://www.efdss.org
> Cecil Sharp House, 2 Regent's Park Road, London NW1 7AY
> Tel    +44 (0) 20 7485 2206 (This number is for the English Folk Dance and
> Song Society in London, England. If you wish to phone me personally, send
> an e-mail first. I work off site)
> --------------------------------------------------------------------------
> Registered Company No. 297142
> Charity Registered in England and Wales No. 305999
> ---------------------------------------------------------------------------
> "Writing about music is like dancing about architecture"
> --Elvis Costello (Musician magazine No. 60 (October 1983), p. 52)
> _______________________________________________
> Koha mailing list  http://koha-community.org
> Koha at lists.katipo.co.nz
> http://lists.katipo.co.nz/mailman/listinfo/koha
>