[Koha] Koha security issue.

Chris Cormack chrisc at catalyst.net.nz
Fri Nov 5 07:44:30 NZDT 2010


* Scott Kushner (skushner at mtpl.org) wrote:
>    We are using mozilla firefox 3.5.4 for  Koha access for our patrons. After
>    one patron is done and walks away, the next patron can use the "back"
>    button to access the previous patron's records-if 6 patrons have used this
>    workstation, all of their transactions can be seen by the last patron. Has
>    the new release of Koha addressed this security issue. Does anyone have a
>    "one-patron session" fix for this?
> 
What version of Koha are you using?, and are your patrons logging out? 
What a lot of Libraries do is close the browser and reopen on logout.
Another way is to disable the back button.

But the safest way, is to close the browser and reopen it on logout.
It's a function of the browser reposting the login details, rather than
anything in Koha. Closing the browser is the safest way to clear out
that information.

You can do all sorts of tricks with js, to try an rewrite history etc.
Or force a reload of the page (to trigger the login prompt) but simply
disabling javascript gets round them. Telling people to close the
browser (and having it set up to restart) is the safest option.

Chris
-- 
Chris Cormack
Catalyst IT Ltd.
+64 4 803 2238
PO Box 11-053, Manners St, Wellington 6142, New Zealand
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
Url : http://lists.katipo.co.nz/pipermail/koha/attachments/20101105/e3337ee8/attachment.pgp 


More information about the Koha mailing list