How to set SameSite='None' in Kibana 7.6.2

Elastic Stack Kibana
#1

I'm using kibana 7.6.2 version and I tried to execute a cross-site domain access to Kibana bypassing login page.
After I launched http post call to Kibana login endpoint, attaching username and password,
I obtain a warning in Cookie section.

If I moved the mouse pointer to (i) of SameSite column, I get the following message back:
This Set-Cookie didn't specify a "SameSite" attributed and was defaulted to "SameSite=Lax" and was blocked because it came from a cross-site response which was not the response to a top-level navigation. The Set-Cookie had to have been set with "SameSite=None" to enable cross-site usage.

cookie

it seems that in version 7.6.2 the SameSite setting to None is not enabled, but in the http_tools.js there is a boolean variable isSameSite which by default is set to false.
How can I fix this bug?

#2

Hello @gaetano

Generally speaking, its preferred to keep this in place as its more secure.

Why do you wish to make the cross site request?

1 Like
#3

Hi
I have a programming environment consisting of some virtual machines on which some web applications have been deployed. Solving this problem will allow me to connect between endpoints on different virtual machines.

#4

I see - and how are you making the request to kibana? What does the request do and what are your aims?

#5

my goal is to access kibana bypassing the login page by attaching username and password in the http post request

#6

What does the request do? Are you using this to skip the login page and use kibana as normal or are you attempting to automate something?

Based on what you've said so far the best path would be to place a proxy in front of kibana so it can be served from the same ip or domain as the script you're trying to run but if you let me know what you're trying to do we might find something simpler.

#7

You could also disable CORS enforcement in your browser although I wouldn't recommend it as a long term solution - Allow CORS: Access-Control-Allow-Origin - Chrome Web Store

#8

I'm trying to use kibana as normal.
It is an Angular script that executes an http post call to 'internal/security/login' attaching username and password as body, and Content-Type: application/json and kbn-xsrf: 7.6.2 as http Header.

#9

So you want to use kibana as normal but you want to skip the login screen?

#10

yes my goal would be this. I don't know if it's possible.

#11

Its definitely possible, its just a question of finding the best route since you're potentially creating a significant security hole. Have you considered using SAML authentication? It might provide a nice balance of security and convenience for you - Authentication in Kibana | Kibana Guide [7.10] | Elastic

1 Like
#12

Ok thank you for the attached link.
Anyway, for info, I tried to access Kibana by first launching the same http post call using the Talend Chrome extension. In that case I was able to access it bypassing the login page and I also noticed that the cookie was set.
While if I try to launch it via Angular script I am redirected to the login page and the cookie is not set.
For this reason I wanted to focus my topic on the theme of cookies, as in my opinion the problem had to be addressed and solved in this direction.

#13

If I understand correctly, you're having success with the Talend extension but not your angular script, correct?

Can you share the request and response in each case?

1 Like
#14

TALEND REQUEST - RESPONSE

talend_request
talend_request1193×374 5.92 KB

talend_request_header
talend_response

SCRIPT REQUEST - RESPONSE

script_request
script_request871×286 9.94 KB

script_response
script_request_header

#15

I would also like to say that I have modified the http_tools.js file to enable CORS.
I inserted
cors: {additionalHeaders: ['kbn-version', 'kbn-xsrf', 'cookie'], origin: ['*'], credentials: true},
instead of
cors: config.cors

I thought that the problem could be caused by the CORS not enabled.

#16

It looks like you found the solution - Allow for cookie's `SameSite` attribute to be configurable · Issue #60522 · elastic/kibana · GitHub - Chrome wants SameSite=None to be set which is supported in Kibana v7.8.1

From the requests you shared everything in the request and response is correct.

#17

Thank you. I finally decided to install Kibana 7.6.2 on the same domain as my web application. This way I can log into Kibana. The problem in upgrading the Hapi library (in Kibana 7.6.2), to enable the use of SameSite = 'None', is very complex. It becomes preferable, at that point, to install a newer version of Kibana.

#18

Hi, I upgraded Kibana to version 7.10.2.
I added in kibana.yml
xpack.security.secureCookies: true
xpack.security.sameSiteCookies: None
for the SameSite setup, but when I try to access the login page I get this result.

login

While on the Cookie section I get this warning:
This Set-Cookie was blocked because it had the "Secure" attribute but was not received over a secure connection.

cookie
cookie1308×140 22.5 KB

What changes do I have to make to establish a "secure" connection?