I'm using kibana 7.6.2 version and I tried to execute a cross-site domain access to Kibana bypassing login page.
After I launched http post call to Kibana login endpoint, attaching username and password,
I obtain a warning in Cookie section.
If I moved the mouse pointer to (i) of SameSite column, I get the following message back: This Set-Cookie didn't specify a "SameSite" attributed and was defaulted to "SameSite=Lax" and was blocked because it came from a cross-site response which was not the response to a top-level navigation. The Set-Cookie had to have been set with "SameSite=None" to enable cross-site usage.
it seems that in version 7.6.2 the SameSite setting to None is not enabled, but in the http_tools.js there is a boolean variable isSameSite which by default is set to false.
How can I fix this bug?
Hi
I have a programming environment consisting of some virtual machines on which some web applications have been deployed. Solving this problem will allow me to connect between endpoints on different virtual machines.
What does the request do? Are you using this to skip the login page and use kibana as normal or are you attempting to automate something?
Based on what you've said so far the best path would be to place a proxy in front of kibana so it can be served from the same ip or domain as the script you're trying to run but if you let me know what you're trying to do we might find something simpler.
I'm trying to use kibana as normal.
It is an Angular script that executes an http post call to 'internal/security/login' attaching username and password as body, and Content-Type: application/json and kbn-xsrf: 7.6.2 as http Header.
Its definitely possible, its just a question of finding the best route since you're potentially creating a significant security hole. Have you considered using SAML authentication? It might provide a nice balance of security and convenience for you - Authentication in Kibana | Kibana Guide [7.10] | Elastic
Ok thank you for the attached link.
Anyway, for info, I tried to access Kibana by first launching the same http post call using the Talend Chrome extension. In that case I was able to access it bypassing the login page and I also noticed that the cookie was set.
While if I try to launch it via Angular script I am redirected to the login page and the cookie is not set.
For this reason I wanted to focus my topic on the theme of cookies, as in my opinion the problem had to be addressed and solved in this direction.
I would also like to say that I have modified the http_tools.js file to enable CORS.
I inserted cors: {additionalHeaders: ['kbn-version', 'kbn-xsrf', 'cookie'], origin: ['*'], credentials: true},
instead of cors: config.cors
I thought that the problem could be caused by the CORS not enabled.
Thank you. I finally decided to install Kibana 7.6.2 on the same domain as my web application. This way I can log into Kibana. The problem in upgrading the Hapi library (in Kibana 7.6.2), to enable the use of SameSite = 'None', is very complex. It becomes preferable, at that point, to install a newer version of Kibana.
Hi, I upgraded Kibana to version 7.10.2.
I added in kibana.yml xpack.security.secureCookies: true xpack.security.sameSiteCookies: None
for the SameSite setup, but when I try to access the login page I get this result.
While on the Cookie section I get this warning: This Set-Cookie was blocked because it had the "Secure" attribute but was not received over a secure connection.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
