[Koha] [Koha-devel] SIP2 AF field sent even if patron password is invalid
Galen Charlton
gmc at esilibrary.com
Wed Jul 30 03:55:45 NZST 2014
Hi,
On Tue, Jul 29, 2014 at 8:35 AM, Kyle Hall <kyle.m.hall at gmail.com> wrote:
> I have an interesting SIP2 implementation issue. When authenticating through
> SIP2, if a valid patron id is passed in, but an *invalid* password is passed
> in, Koha's SIP2 server send back the AF ( screen message ) field even though
> the credentials are invalid. If a patron owes any fees, the server will send
> back the amount owed in an AF field.
Sadly, it looks like the only provision that the SIP2 specification
makes for dealing with an invalid patron password is to set the CQ
field. My reading of the spec is that the expected behavior regarding
other fields in the patron status and patron information responses is
undefined when an incorrect password is supplied.
> For instance, Overdrive will display this AF field even with an invalid
> password. Freegal does not ( but it may not display any AF field ). At least
> one SIP2 machine we tested against will also display the AF field when an
> invalid password is submitted.
>
> Is this a Koha issue, or a client side issue? The SIP2 protocol
> specification does not indicate that AF fields should be removed in the
> event of an invalid password. My guess is that some SIP2 server
> implementations may send back "Invalid password" messages which may be
> useful.
Possibly. In any event, I think we should either not send an AF, or
send one that contains something like "Invalid password" if the patron
password is wrong.
That leaves open the question about what to do with other fields,
particularly in the patron information response. My feeling is that
we should be conservative: if a patron password is sent via patron
status or patron information requests, and it's wrong, no information
about the patron should be returned. There may need to be a
configuration option controlling this behavior.
Regards,
Galen
--
Galen Charlton
Manager of Implementation
Equinox Software, Inc. / The Open Source Experts
email: gmc at esilibrary.com
direct: +1 770-709-5581
cell: +1 404-984-4366
skype: gmcharlt
web: http://www.esilibrary.com/
Supporting Koha and Evergreen: http://koha-community.org &
http://evergreen-ils.org
More information about the Koha
mailing list