Merge branch 'bug_8977' into 3.12-master

[koha_fer] / C4 / Auth.pm

diff --git a/C4/Auth.pm b/C4/Auth.pm
index 4ea03c0..2eb63f5 100644 (file)
--- a/C4/Auth.pm
+++ b/C4/Auth.pm
@@ -635,13 +635,15 @@ sub checkauth {
     if ( $userid = $ENV{'REMOTE_USER'} ) {
         # Using Basic Authentication, no cookies required
         $cookie = $query->cookie(
-            -name    => 'CGISESSID',
-            -value   => '',
-            -expires => ''
+            -name     => 'CGISESSID',
+            -value    => '',
+            -expires  => '',
+            -HttpOnly => 1,
         );
         $loggedin = 1;
     }
-    elsif ( $sessionID = $query->cookie("CGISESSID")) {     # assignment, not comparison
+    elsif ( $sessionID = $query->cookie("CGISESSID") )
+    {    # assignment, not comparison
         my $session = get_session($sessionID);
         C4::Context->_new_userenv($sessionID);
         my ($ip, $lasttime, $sessiontype);
@@ -707,8 +709,12 @@ sub checkauth {
             $userid    = undef;
         }
         else {
-            $cookie = $query->cookie( CGISESSID => $session->id );
-            $session->param('lasttime',time());
+            $cookie = $query->cookie(
+                -name     => 'CGISESSID',
+                -value    => $session->id,
+                -HttpOnly => 1
+            );
+            $session->param( 'lasttime', time() );
             unless ( $sessiontype && $sessiontype eq 'anon' ) { #if this is an anonymous session, we want to update the session, but not behave as if they are logged in...
                 $flags = haspermission($userid, $flagsrequired);
                 if ($flags) {
@@ -724,8 +730,12 @@ sub checkauth {
         my $session = get_session("") or die "Auth ERROR: Cannot get_session()";
         my $sessionID = $session->id;
         C4::Context->_new_userenv($sessionID);
-        $cookie = $query->cookie( CGISESSID => $sessionID );
-        $userid = $query->param('userid');
+        $cookie = $query->cookie(
+            -name     => 'CGISESSID',
+            -value    => $session->id,
+            -HttpOnly => 1
+        );
+    $userid = $query->param('userid');
         if (   ( $cas && $query->param('ticket') )
             || $userid
             || ( my $pki_field = C4::Context->preference('AllowPKIAuth') ) ne
@@ -916,7 +926,11 @@ sub checkauth {
     {
         # successful login
         unless ($cookie) {
-            $cookie = $query->cookie( CGISESSID => '' );
+            $cookie = $query->cookie(
+                -name     => 'CGISESSID',
+                -value    => '',
+                -HttpOnly => 1
+            );
         }
         return ( $userid, $cookie, $sessionID, $flags );
     }
@@ -934,17 +948,11 @@ sub checkauth {
         my $value = $query->param($name);
         push @inputs, { name => $name, value => $value };
     }
-    # get the branchloop, which we need for authentication
-    my $branches = GetBranches();
-    my @branch_loop;
-    for my $branch_hash (sort keys %$branches) {
-               push @branch_loop, {branchcode => "$branch_hash", branchname => $branches->{$branch_hash}->{'branchname'}, };
-    }
 
     my $template_name = ( $type eq 'opac' ) ? 'opac-auth.tmpl' : 'auth.tmpl';
     my $template = C4::Templates::gettemplate($template_name, $type, $query );
     $template->param(
-        branchloop           => \@branch_loop,
+        branchloop           => GetBranchesLoop(),
         opaccolorstylesheet  => C4::Context->preference("opaccolorstylesheet"),
         opaclayoutstylesheet => C4::Context->preference("opaclayoutstylesheet"),
         login                => 1,