Skip to main content
  • Subscribe by RSS
  • Ex Libris Knowledge Center

    Patron can access OPAC sessions of other patrons after link is sent by e-mail

    • Article Type: General
    • Product: Aleph
    • Product Version: 18.01

    Problem Symptoms:
    When a patron A sends patron B a link from the OPAC, this second patron is able to see sensitive user details such as loans, contact information etc.

    System works as designed.

    Aleph uses the session ID within the URL in order to recognize the person that is currently logged in. When this session ID is sent to another person and this person opens the URL, two workstations use the same session. This problem affects all internet sites that work with session IDs.

    Additional Information

    The problem can be minimized by enforcing a session logout or patron logout after a certain time. Then if patron A sends an e-mail to patron B, patron B will potentially be unable to log into the same session when opening the mail. Please check the following proposals if they can be implemented at your institution.

    1. In the file $alephe_root/www_f_lng/meta-tags you find the line

    <META HTTP-EQUIV="REFRESH" CONTENT="1200; URL=&server_f?func=logout">

    The number 1200 is the number of seconds before an automatic session logout will be enforced. You may choose a lower value, for example 120. Attention: The seconds start to count from the moment when the website is opened, so this is not the time that a patron is inactive. Therefore you should not choose a very low number. After this time has elapsed, the session is terminated and the OPAC start page is loaded.

    2. Instead of the session logout via meta-tags you can set the patron logout in www_a_s_time_out. This is a patron logout after inactivity. By default it is set to 10 minutes. You can change it to another value by adding the following line to www_server.conf:

    setenv www_a_s_time_out 0060

    In this example it is 60 seconds. As distinguished from the session timeout, in the patron logout the session remains active, you can still access the search history, the results remain on the screen - but sensitive patron data will not be accessible anymore.

    Category: Web OPAC (500)

    Subject: html Pages (500)

    • Article last edited: 10/8/2013