Skip to content

[#3464380] Use #lazy_builder to add LT to login form

Session handling has changed a lot since D9.2 and now with D10.3 release directly accessing $_SESSION is not always creating the session. The LT was also not being used as it should be in the spec, but rather just as another token to check for submission which is not in the CAS spec. Now using #lazy_builder to add the token to the form; thinking being that the anon user form could be cached when that is available. Not storing the LT in the session at all. When a LT is used in a submission, it is invalidated (deleted) so that it cannot be replayed, which is what the LT is meant to be for. Side effect is that it provides a timeout for the login form to be used.

Merge request reports

Loading