Skip to content

Auth: Persist session before refreshing current logged in user#5162

Open
yhabteab wants to merge 1 commit into
mainfrom
fix-shared-cookie
Open

Auth: Persist session before refreshing current logged in user#5162
yhabteab wants to merge 1 commit into
mainfrom
fix-shared-cookie

Conversation

@yhabteab

Copy link
Copy Markdown
Member

When using external auth, e.g. NGINX basic auth, it's not possible to use the user's session for Nagvis authentication, even though the cookie path is set to /, which allows another Icinga web instance to access that same cookie. However, as the user's cookie is periodically refreshed, this invalidates the entire session for the third party, resulting in the REMOTE_USER header being empty.

The Application State Controller already does the same thing!

if ($last + 600 < $now) {
Session::getSession()->write();
$params = session_get_cookie_params();

Might fix Icinga/icingaweb2-module-nagvis#35 (I didn't test it as I don't use apache). Using NGINX works fine though. @slalomsk8er can you please verify this if you are still using apache and Nagvis.

@yhabteab yhabteab requested a review from nilmerg December 13, 2023 12:34
@cla-bot cla-bot Bot added the cla/signed label Dec 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Autologin via Apache results in not authenticated

1 participant