@EXPORT = qw(&checkauth &get_template_and_user &haspermission &get_user_subpermissions);
@EXPORT_OK = qw(&check_api_auth &get_session &check_cookie_auth &checkpw &checkpw_internal &checkpw_hash
&get_all_subpermissions &get_user_subpermissions
- ParseSearchHistoryCookie
+ ParseSearchHistorySession SetSearchHistorySession
);
%EXPORT_TAGS = ( EditPermissions => [qw(get_all_subpermissions get_user_subpermissions)] );
$ldap = C4::Context->config('useldapserver') || 0;
$template->param(ShowOpacRecentSearchLink => 1);
}
- # And if there's a cookie with searches performed when the user was not logged in,
+ # And if there are searches performed when the user was not logged in,
# we add them to the logged-in search history
- my @recentSearches = ParseSearchHistoryCookie($in->{'query'});
+ my @recentSearches = ParseSearchHistorySession($in->{'query'});
if (@recentSearches) {
my $sth = $dbh->prepare($SEARCH_HISTORY_INSERT_SQL);
$sth->execute( $borrowernumber,
$_->{'time'},
) foreach @recentSearches;
- # And then, delete the cookie's content
- my $newsearchcookie = $in->{'query'}->cookie(
- -name => 'KohaOpacRecentSearches',
- -value => encode_json([]),
- -HttpOnly => 1,
- -expires => ''
- );
- $cookie = [$cookie, $newsearchcookie];
+ # clear out the search history from the session now that
+ # we've saved it to the database
+ SetSearchHistorySession($in->{'query'}, []);
}
}
}
# Anonymous opac search history
# If opac search history is enabled and at least one search has already been performed
if (C4::Context->preference('EnableOpacSearchHistory')) {
- my @recentSearches = ParseSearchHistoryCookie($in->{'query'});
+ my @recentSearches = ParseSearchHistorySession($in->{'query'});
if (@recentSearches) {
$template->param(ShowOpacRecentSearchLink => 1);
}
my ( $userid, $cookie, $sessionID, $flags, $barshelves, $pubshelves );
my $logout = $query->param('logout.x');
+ my $anon_search_history;
+
# This parameter is the name of the CAS server we want to authenticate against,
# when using authentication against multiple CAS servers, as configured in Auth_cas_servers.yaml
my $casparam = $query->param('cas');
+ my $q_userid = $query->param('userid') // '';
if ( $userid = $ENV{'REMOTE_USER'} ) {
# Using Basic Authentication, no cookies required
my $session = get_session($sessionID);
C4::Context->_new_userenv($sessionID);
my ($ip, $lasttime, $sessiontype);
+ my $s_userid = '';
if ($session){
+ $s_userid = $session->param('id') // '';
C4::Context::set_userenv(
- $session->param('number'), $session->param('id'),
+ $session->param('number'), $s_userid,
$session->param('cardnumber'), $session->param('firstname'),
$session->param('surname'), $session->param('branch'),
$session->param('branchname'), $session->param('flags'),
$debug and printf STDERR "AUTH_SESSION: (%s)\t%s %s - %s\n", map {$session->param($_)} qw(cardnumber firstname surname branch) ;
$ip = $session->param('ip');
$lasttime = $session->param('lasttime');
- $userid = $session->param('id');
+ $userid = $s_userid;
$sessiontype = $session->param('sessiontype') || '';
}
- if ( ( ($query->param('koha_login_context')) && ($query->param('userid') ne $session->param('id')) )
+ if ( ( $query->param('koha_login_context') && ($q_userid ne $s_userid) )
|| ( $cas && $query->param('ticket') ) ) {
#if a user enters an id ne to the id in the current session, we need to log them in...
#first we need to clear the anonymous session...
- $debug and warn "query id = " . $query->param('userid') . " but session id = " . $session->param('id');
- $session->flush;
+ $debug and warn "query id = $q_userid but session id = $s_userid";
+ $anon_search_history = $session->param('search_history');
$session->delete();
+ $session->flush;
C4::Context->_unset_userenv($sessionID);
$sessionID = undef;
$userid = undef;
}
elsif ($logout) {
# voluntary logout the user
- $session->flush;
$session->delete();
+ $session->flush;
C4::Context->_unset_userenv($sessionID);
#_session_log(sprintf "%20s from %16s logged out at %30s (manually).\n", $userid,$ip,(strftime "%c",localtime));
$sessionID = undef;
logout_cas($query);
}
}
- elsif ( $lasttime < time() - $timeout ) {
+ elsif ( !$lasttime || ($lasttime < time() - $timeout) ) {
# timed logout
$info{'timed_out'} = 1;
- $session->delete() if $session;
+ if ($session) {
+ $session->delete();
+ $session->flush;
+ }
C4::Context->_unset_userenv($sessionID);
#_session_log(sprintf "%20s from %16s logged out at %30s (inactivity).\n", $userid,$ip,(strftime "%c",localtime));
$userid = undef;
$info{'newip'} = $ENV{'REMOTE_ADDR'};
$info{'different_ip'} = 1;
$session->delete();
+ $session->flush;
C4::Context->_unset_userenv($sessionID);
#_session_log(sprintf "%20s from %16s logged out at %30s (ip changed to %16s).\n", $userid,$ip,(strftime "%c",localtime), $info{'newip'});
$sessionID = undef;
#we initiate a session prior to checking for a username to allow for anonymous sessions...
my $session = get_session("") or die "Auth ERROR: Cannot get_session()";
+
+ # Save anonymous search history in new session so it can be retrieved
+ # by get_template_and_user to store it in user's search history after
+ # a successful login.
+ if ($anon_search_history) {
+ $session->param('search_history', $anon_search_history);
+ }
+
my $sessionID = $session->id;
C4::Context->_new_userenv($sessionID);
$cookie = $query->cookie(
-value => $session->id,
-HttpOnly => 1
);
- $userid = $query->param('userid');
+ $userid = $q_userid;
+ my $pki_field = C4::Context->preference('AllowPKIAuth');
+ if (! defined($pki_field) ) {
+ print STDERR "ERROR: Missing system preference AllowPKIAuth.\n";
+ $pki_field = 'None';
+ }
if ( ( $cas && $query->param('ticket') )
|| $userid
- || ( my $pki_field = C4::Context->preference('AllowPKIAuth') ) ne
- 'None' || $persona )
+ || $pki_field ne 'None'
+ || $persona )
{
my $password = $query->param('password');
my $retuserid;
( $return, $cardnumber, $retuserid ) =
checkpw( $dbh, $userid, $password, $query );
- $userid = $retuserid if ( $retuserid ne '' );
+ $userid = $retuserid if ( $retuserid );
}
if ($return) {
#_session_log(sprintf "%20s from %16s logged in at %30s.\n", $userid,$ENV{'REMOTE_ADDR'},(strftime '%c', localtime));
$info{'invalid_username_or_password'} = 1;
C4::Context->_unset_userenv($sessionID);
}
+ $session->param('lasttime',time());
+ $session->param('ip',$session->remote_addr());
}
} # END if ( $userid = $query->param('userid') )
elsif ($type eq "opac") {
if ( $lasttime < time() - $timeout ) {
# time out
$session->delete();
+ $session->flush;
C4::Context->_unset_userenv($sessionID);
$userid = undef;
$sessionID = undef;
} elsif ( $ip ne $ENV{'REMOTE_ADDR'} ) {
# IP address changed
$session->delete();
+ $session->flush;
C4::Context->_unset_userenv($sessionID);
$userid = undef;
$sessionID = undef;
return ("ok", $cookie, $sessionID);
} else {
$session->delete();
+ $session->flush;
C4::Context->_unset_userenv($sessionID);
$userid = undef;
$sessionID = undef;
if ( $lasttime < time() - $timeout ) {
# time out
$session->delete();
+ $session->flush;
C4::Context->_unset_userenv($sessionID);
$userid = undef;
$sessionID = undef;
} elsif ( $ip ne $ENV{'REMOTE_ADDR'} ) {
# IP address changed
$session->delete();
+ $session->flush;
C4::Context->_unset_userenv($sessionID);
$userid = undef;
$sessionID = undef;
return ("ok", $sessionID);
} else {
$session->delete();
+ $session->flush;
C4::Context->_unset_userenv($sessionID);
$userid = undef;
$sessionID = undef;
return 0;
}
-sub ParseSearchHistoryCookie {
- my $input = shift;
- my $search_cookie = $input->cookie('KohaOpacRecentSearches');
- return () unless $search_cookie;
- my $obj = eval { decode_json(uri_unescape($search_cookie)) };
+sub ParseSearchHistorySession {
+ my $cgi = shift;
+ my $sessionID = $cgi->cookie('CGISESSID');
+ return () unless $sessionID;
+ my $session = get_session($sessionID);
+ return () unless $session and $session->param('search_history');
+ my $obj = eval { decode_json(uri_unescape($session->param('search_history'))) };
return () unless defined $obj;
return () unless ref $obj eq 'ARRAY';
return @{ $obj };
}
+sub SetSearchHistorySession {
+ my ($cgi, $search_history) = @_;
+ my $sessionID = $cgi->cookie('CGISESSID');
+ return () unless $sessionID;
+ my $session = get_session($sessionID);
+ return () unless $session;
+ $session->param('search_history', uri_escape(encode_json($search_history)));
+}
+
END { } # module clean-up code here (global destructor)
1;
__END__