recently i read this in github.
Currently, Kibana does not set the SameSite
attribute on its session cookie. Up until recently, this was tolerable, but Chrome recently (version 80
) updated its default configuration to treat unset SameSite
attributes to mean Lax
.
This is problematic for users who embed Kibana in an iframe. We should allow the SameSite
setting to be configurable via kibana.yml
, so users can choose if they want Strict
, Lax
, or None
.
Can anyone tell me how to configure this setting (xpack.security.sameSiteCookies) in a proper format in kibana.yml file, our kibana servers are running in elastic cloud. @azasypkin @wylie
i applied this setting xpack.security.sameSiteCookies: None in kibana.yml file and i am getting the following error.
This looks correct to me, but it's only a valid setting since 7.8.1 (and additionally 6.8.11). What version of the stack are you using?
Best,
Oleg
we are using 7.8.0 @azasypkin
Then you'll need upgrade to 7.8.1 or newer (you can safely do this for patch releases).
ok @azasypkin thanks for your time and help !!
Is there an option to set the parameters xpack.security.secureCookies: true
and xpack.security.sameSiteCookies: None
in the cloud hosted environment on https://www.elastic.co? It seems that these are still not supported there.
Can the cloud environment give us access to the server, and we can set the cookie parameters there, depending on the type of server, Nginx, etc?
the solution to this issue is you should add this line/setting in your kibana.yml file xpack.security.sameSiteCookies: None and your ELK stack version should be above 7.8.0
yes you can do this in cloud hosted environment. we did the above changes in kibana.yml file on our cloud hosted environment. only admins have access to do this.below is the url https://cloud.elastic.co/login?redirectTo=%2Fhome
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.