A failed login should not leave the user in a half logged authenticated
state, but rather return them to an anonymouse session as per the
pre-login attempt state.
To replicate error:
1. Try to log in with some nonexisting user id or wrong password in the
OPAC
2. Go directly to /opac-user.pl (e.g., enter it in the browser address
bar, or just click on the "Log in" link)
3. Observe a DBI error displayed on the screen
4. You are now in the "deadloop" of sorts (opac/opac-user.pl refuses to
display the login screen, no matter how many times you try to reload
it); to break the deadloop, one needs to:
- remove session cookie from the browser (or cause the session to
expire in some other way - closing browser window would be probably
enough for that)
- remove offending session on the server (from mysql sessions table,
..)
- log in with proper credentials using some other page (like
opac/opac-main.pl right-side panel), which does not involve
opac/opac-user.pl being called without "userid" CGI parameter.
To test:
1. Test as above, the DBI error should no longer be present
2. Check that search history works across failed and sucessful login
attempts
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Mason James <mtj@kohaaloha.com>
(cherry picked from commit
7f504acc13a361ba93504917498ae955b82ed430)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
}
else {
+ $debug and warn "Login failed, resetting anonymous session...";
if ($userid) {
$info{'invalid_username_or_password'} = 1;
C4::Context->_unset_userenv($sessionID);
}
$session->param('lasttime',time());
$session->param('ip',$session->remote_addr());
+ $session->param('sessiontype','anon');
}
} # END if ( $userid = $query->param('userid') )
elsif ($type eq "opac") {