Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

X-Pack Authentication cookie replay possible even if logged out #44478

Closed
devdua opened this issue Aug 30, 2019 · 2 comments
Closed

X-Pack Authentication cookie replay possible even if logged out #44478

devdua opened this issue Aug 30, 2019 · 2 comments
Labels
Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! triage_needed

Comments

@devdua
Copy link

devdua commented Aug 30, 2019

Kibana version: - 7.x

Elasticsearch version: - 7.x

Server OS version: - CentOS 7

Browser version: - All browsers

Browser OS version: - All OS

Original install method (e.g. download page, yum, from source, etc.): - yum

Describe the bug:
Any process capturing requests from browser to Kibana can capture the session cookie and use it to submit authenticated requests to Kibana even if the user has logged out.

Steps to reproduce:

  1. Login to Kibana
  2. Using Dev Tools of the browser or using a plugin or interceptor like Burp, copy the "sid" cookie
  3. Logout of Kibana
  4. In another browser or in Private/Incognito mode, open Kibana. Add new cookie with key: sid and value as copied earlier.
  5. Refresh the browser, you'll now be logged in as the user the cookie was generated for.

Expected behavior:
Apart from clearing session information on logout, there should be a way to invalidate cookies, maybe by using a server side cache of sessions which can be used to verify a cookie. These cookies or session cache data should get deleted on logout.

Screenshots (if relevant):
Step 2 -
image

Step 4 - image

Step 5 - image

Errors in browser console (if relevant):
No errors

Provide logs and/or server output (if relevant):
N.A.

Any additional context:
@mikecote mikecote added Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! triage_needed labels Aug 30, 2019
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security

@kobelb
Copy link
Contributor

kobelb commented Sep 4, 2019
edited
Loading

Hey @devdua, thanks for bringing this up. This is actually a known limitation of the basic auth provider

The session cookies that are issued by the basic authentication provider are stateless. Therefore, logging out of Kibana when using the basic authentication provider clears the session cookies from the browser but does not invalidate the session cookie for reuse.

If you want this behavior, I'd recommend using the token auth provider

The session cookies that are issued by the token authentication provider are stateful, and logging out of Kibana invalidates the session cookies for reuse.

It's our intent to make the token auth provider the default starting in 8.0: #34339

@kobelb kobelb closed this as completed Sep 4, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! triage_needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@kobelb @devdua @mikecote @elasticmachine