Bug 12954: Failed login should retain anonymous session

A failed login should not leave the user in a half logged authenticated
state, but rather return them to an anonymouse session as per the
pre-login attempt state.

To replicate error:
1. Try to log in with some nonexisting user id or wrong password in the
   OPAC
2. Go directly to /opac-user.pl (e.g., enter it in the browser address
   bar, or just click on the "Log in" link)
3. Observe a DBI error displayed on the screen
4. You are now in the "deadloop" of sorts (opac/opac-user.pl refuses to
   display the login screen, no matter how many times you try to reload
   it); to break the deadloop, one needs to:
   - remove session cookie from the browser (or cause the session to
     expire in some other way - closing browser window would be probably
     enough for that)
   - remove offending session on the server (from mysql sessions table,
    ..)
   - log in with proper credentials using some other page (like
     opac/opac-main.pl right-side panel), which does not involve
     opac/opac-user.pl being called without "userid" CGI parameter.

To test:
1. Test as above, the DBI error should no longer be present
2. Check that search history works across failed and sucessful login
   attempts

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>

diff --git a/C4/Auth.pm b/C4/Auth.pm
index f1481c3..e6c121a 100644 (file)
--- a/C4/Auth.pm
+++ b/C4/Auth.pm
@@ -967,7 +967,10 @@ sub checkauth {
                       checkpw( $dbh, $userid, $password, $query );
                     $userid = $retuserid if ($retuserid);
                     $info{'invalid_username_or_password'} = 1 unless ($return);
-                } }
+                }
+            }
+
+            # $return: 1 = valid user, 2 = superlibrarian
             if ($return) {
 
                 #_session_log(sprintf "%20s from %16s logged in  at %30s.\n", $userid,$ENV{'REMOTE_ADDR'},(strftime '%c', localtime));
@@ -1091,13 +1094,17 @@ sub checkauth {
                 );
 
             }
+            # $return: 0 = invalid user
+            # reset to anonymous session
             else {
+                $debug and warn "Login failed, resetting anonymous session...";
                 if ($userid) {
                     $info{'invalid_username_or_password'} = 1;
                     C4::Context->_unset_userenv($sessionID);
                 }
                 $session->param( 'lasttime', time() );
                 $session->param( 'ip',       $session->remote_addr() );
+                $session->param( 'sessiontype', 'anon' );
             }
         }    # END if ( $userid    = $query->param('userid') )
         elsif ( $type eq "opac" ) {