Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] logging into one Kibana instance logs me out of all the others #189311

Closed
drewdaemon opened this issue Jul 26, 2024 · 3 comments
Closed

[Security] logging into one Kibana instance logs me out of all the others #189311

drewdaemon opened this issue Jul 26, 2024 · 3 comments
Assignees
@azasypkin
Labels
bug Fixes for quality problems that affect the customer experience Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!

Comments

@drewdaemon
Copy link
Contributor

Describe the bug:

Steps to reproduce:

  1. Run two instances of Kibana on your computer using yarn start (different ports can be configured with server.port in kibana.yml)
  2. Make sure no base path is set in kibana.yml (server.basepath should be missing!)
  3. Log into Kibana 1
  4. Log into Kibana 2

Result: you're logged out of Kibana 1.

Server log:

[2024-07-26T09:56:19.902-06:00][DEBUG][plugins.security.session.cookie] Outdated session value with path "/"

It appears to fail this validation:

kibana/x-pack/plugins/security/server/session_management/session_cookie.ts

Lines 91 to 101 in 3ae4111

// ensure that this cookie was created with the current Kibana configuration
const invalidSessionValue = (
Array.isArray(sessionValue) ? sessionValue : [sessionValue]
).find((sess) => sess.path !== undefined && sess.path !== serverBasePath);
if (invalidSessionValue) {
this.logger.debug(`Outdated session value with path "${invalidSessionValue.path}"`);
return { isValid: false, path: invalidSessionValue.path };
}
return { isValid: true };

If the base paths are explicitly set in kibana.yml, the problem isn't present.
@drewdaemon drewdaemon added bug Fixes for quality problems that affect the customer experience Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! labels Jul 26, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@azasypkin
Copy link
Member

Hey @drewdaemon, thanks for filing the issue! I believe what you're experiencing is described in #83914 (see Multi-tenancy using the same host name, but different ports). If so, then everything is working as intended, even though it’s definitely confusing (HTTP state spec 🤷). If you'd like to run multiple Kibanas on the same host, you'll need to use different cookies. Here's an example if you'd like to run multiple Kibana instances locally on different ports:

# Terminal #1
yarn start (implies `--server.port=5601 --dev.basePathProxyTarget=5603 --xpack.security.cookieName=sid`)

# Terminal #2
yarn start --server.port=5701 --dev.basePathProxyTarget=5703 --xpack.security.cookieName=sid7

I'm closing the issue, but feel free to re-open it if my guess is wrong.

@azasypkin azasypkin self-assigned this Aug 15, 2024
@drewdaemon
Copy link
Contributor Author

Okay, thanks for checking @azasypkin !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@azasypkin azasypkin

Labels
bug Fixes for quality problems that affect the customer experience Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@drewdaemon @azasypkin @elasticmachine