Kibana/Shield sid Cookie Collision

security

(Jared Kauppila) #1

Pulling this into a new topic from Server.basePath redirect loop with Shield

I'm routing to multiple Kibana instances from a single URL based on the context utilizing an F5 LTM as a reverse proxy. All Kibana instances are configured to use Shield against the backend ES cluster.

I can login fine to kibana.contoso.com/foo/ and get the sid cookie on the path of /foo/

I can then immediately login to kibana.contoso.com/ and get it's own sid cookie on path of /

But if I login to kibana.contoso.com/ first and get the cookie, and then proceed to login to kibana.contoso.com/foo/ I get stuck in a redirect loop. Since I now see the cookie at path /, I'm guessing that's causing some type of conflict? Simply deleting the sid cookie from / allows me to login fine.

Ideally for my use-case, I'd like the option to login to one of the Kibana instances and utilize the same cookie across all of the instances since we're just separating to provide different teams modify access to their own, everyone will have read access to all of them.


(system) #2