Kibana session logout after opening a new tab

gustavo.yoshizaki · August 4, 2023, 4:48pm

Hi,

A few users have reported a session logout in Kibana after opening a new tab. The reported steps to reproduce are:

Using SAML integration as authentication
Login into Kibana
Click on a link that opens in a new tab Kibana

Result:
The session on the first tab is lost

Expected:
No session lost

Thanks in advance

sscarduzio · August 5, 2023, 8:59am

Thanks, interesting one. Any insights on what browser does this?

sscarduzio · August 5, 2023, 1:26pm

I have just tried to reproduce this, but no luck.

what version of ROR have you installed? Es and Kibana plugins
what version of ES/KBN?
can you reproduce this in chrome?
can you provide a more precise reproducer script? I.e. what link to click
can you share the settings of your kibana.yml? i.e. session related parameters

gustavo.yoshizaki · August 7, 2023, 11:28am

Hi,

It is happening in Safari as well as Firefox in Ubuntu. But could be happening in other browsers that I am not aware.

what version of ROR have you installed? Es and Kibana plugins
Version 1.49
what version of ES/KBN?
Version 7.16.3
can you reproduce this in chrome?
Will check.
can you provide a more precise reproducer script? I.e. what link to click
This type of links (the short links generated in Kibana):
https://logs.xcade.net/s/testteam/goto/e0323b20-27bb-11ee-9e09-fd2bb6486a07
can you share the settings of your kibana.yml? i.e. session related parameters
The only setting related to session is readonlyrest_kbn.session_timeout_minutes: 720

Thanks in advance

sscarduzio · August 8, 2023, 9:46am

Not able to reproduce in 1.50.0 with Kibana 8.8.0.

If there is a problem with how I test, let me know. Otherwise I will try install Kibana 7.16.3.

gustavo.yoshizaki · August 8, 2023, 11:46am

Hi @sscarduzio

The steps to reproduce are not exactly the same. After creating the short link, share it to yourself via email. Then click on the link from the email.

Best regards.

sscarduzio · August 11, 2023, 8:09am

Test!

https://localhost:5601/s/default/app/r/s/fKXHn

sscarduzio · August 11, 2023, 8:17am

You know, I was skeptical. But here I am reproducing this issue. Pretty sure there’s a rational explanation, but for now it really puzzles me.

@Dzuming WDYT? I need ideas

Dzuming · August 14, 2023, 4:55am

Seems like, it’s a problem related to the Gmail and the way you open the link.

Generally speaking, in our cookies we have a sameSite: strict value defined in our rorCookie. However, if you left mouse click, the link in Gmail, opens something like https://www.google.com/url?q=https://localhost:5601/s/default/app/r/s/Uxo0E&source=gmail&ust=1692032548974000&usg=AOvVaw3E9LWSwc41dX7RAlfolDvf and in this case, rorCookie is not attached to the cookie header. If you open the link via Open link in new Tab option, it works as expected. To fix this issue, we can change rorCookie sameSiite to the Lax.

gustavo.yoshizaki · August 14, 2023, 11:54am

Hi @Dzuming

In our case, we are not using Gmail for sharing the links. Our use case is very similar to the one tested by @sscarduzio by posting a link in this thread.

Best regards.

sscarduzio · August 16, 2023, 8:31am

@Dzuming your reasoning makes sense to me. Let’s try if sameSite: 'lax' fixes the issue at hand, and later we can make it configurable.

gustavo.yoshizaki · August 30, 2023, 11:39am

Hi @sscarduzio

Any updates on this issue?

Thanks in advance.

sscarduzio · August 30, 2023, 1:20pm

@Dzuming can we give a build to @gustavo.yoshizaki?

Dzuming · August 30, 2023, 6:52pm

I sent a private message with a pre-release build to @gustavo.yoshizaki