searchguard.session.ttl seems not working in 6.5.4 Kibana.

Hi,

I am using Elasticsearch and Kibana version 6.5.4 and respective 6.5.4 searchguard plugins. The “searchguard.session.ttl” parameter seems not configurable to other values. Only with default value(1 hr) auto logout is happening. This was working fine in 6.2.4 ELK.

OS - RHEL 7.5

OpenJDK - 1.8

Can you please help me.

Thanks,
Chaitra

Hi there,

Could you please elaborate a bit on what is not working as expected?

Do you want the authentication cookie to expire after a certain time period, but that does not happen?

Do you have any authentication headers in the browser - for example after entering your credentials in the browser’s basic auth dialog (the popup)?

As far as I can tell, the session.ttl handling has not changed between 6.2.* and 6.5.*, so I’d need to look into that…

Thanks,

Mike

···

On Monday, 4 March 2019 10:34:02 UTC+1, chaitra hegde wrote:

Hi,

I am using Elasticsearch and Kibana version 6.5.4 and respective 6.5.4 searchguard plugins. The “searchguard.session.ttl” parameter seems not configurable to other values. Only with default value(1 hr) auto logout is happening. This was working fine in 6.2.4 ELK.

OS - RHEL 7.5

OpenJDK - 1.8

Can you please help me.

Thanks,
Chaitra

Hi,

Yes. I want the session cookie to expire after configured time which is configured in “searchguard.session.ttl”

In early version i.e, 6.2.4, For example if i configure searchguard.session.ttl: 180000 which is 3min, auto logout was happening and the browser used to ask for username and password after 3 min.

But now, in 6.5.4, if I configure searchguard.session.ttl: 180000 autologout is not happening. Only after 1hr (default) auto logout is happening.

I have attached my Headers after I enter my credentials in kibana.

···

On Tuesday, March 5, 2019 at 6:53:53 PM UTC+5:30, Mike wrote:

Hi there,

Could you please elaborate a bit on what is not working as expected?

Do you want the authentication cookie to expire after a certain time period, but that does not happen?

Do you have any authentication headers in the browser - for example after entering your credentials in the browser’s basic auth dialog (the popup)?

As far as I can tell, the session.ttl handling has not changed between 6.2.* and 6.5.*, so I’d need to look into that…

Thanks,

Mike

On Monday, 4 March 2019 10:34:02 UTC+1, chaitra hegde wrote:

Hi,

I am using Elasticsearch and Kibana version 6.5.4 and respective 6.5.4 searchguard plugins. The “searchguard.session.ttl” parameter seems not configurable to other values. Only with default value(1 hr) auto logout is happening. This was working fine in 6.2.4 ELK.

OS - RHEL 7.5

OpenJDK - 1.8

Can you please help me.

Thanks,
Chaitra

Hi Mike,

Even I’m also getting same issue. Please let me know is any updates on this.

···

On Monday, March 4, 2019 at 3:04:02 PM UTC+5:30, chaitra hegde wrote:

Hi,

I am using Elasticsearch and Kibana version 6.5.4 and respective 6.5.4 searchguard plugins. The “searchguard.session.ttl” parameter seems not configurable to other values. Only with default value(1 hr) auto logout is happening. This was working fine in 6.2.4 ELK.

OS - RHEL 7.5

OpenJDK - 1.8

Can you please help me.

Thanks,
Chaitra

Ok, thanks for the info! I’ll look into this and get back to you!

···

On Wednesday, 6 March 2019 08:38:07 UTC+1, chaitra hegde wrote:

Hi,

Yes. I want the session cookie to expire after configured time which is configured in “searchguard.session.ttl”

In early version i.e, 6.2.4, For example if i configure searchguard.session.ttl: 180000 which is 3min, auto logout was happening and the browser used to ask for username and password after 3 min.

But now, in 6.5.4, if I configure searchguard.session.ttl: 180000 autologout is not happening. Only after 1hr (default) auto logout is happening.

I have attached my Headers after I enter my credentials in kibana.

On Tuesday, March 5, 2019 at 6:53:53 PM UTC+5:30, Mike wrote:

Hi there,

Could you please elaborate a bit on what is not working as expected?

Do you want the authentication cookie to expire after a certain time period, but that does not happen?

Do you have any authentication headers in the browser - for example after entering your credentials in the browser’s basic auth dialog (the popup)?

As far as I can tell, the session.ttl handling has not changed between 6.2.* and 6.5.*, so I’d need to look into that…

Thanks,

Mike

On Monday, 4 March 2019 10:34:02 UTC+1, chaitra hegde wrote:

Hi,

I am using Elasticsearch and Kibana version 6.5.4 and respective 6.5.4 searchguard plugins. The “searchguard.session.ttl” parameter seems not configurable to other values. Only with default value(1 hr) auto logout is happening. This was working fine in 6.2.4 ELK.

OS - RHEL 7.5

OpenJDK - 1.8

Can you please help me.

Thanks,
Chaitra

Hi,
I have upgraded ELK to 7.0.1. Still I am facing the same issue.
Can you please help me in resolving this.

We did push a fix for this back in March, but I’ll look into it again.

Could you please post your timeout and authentication type settings?

I’ve tested again, and it seems like the timeout behaves as expected, at least when using basic auth.
Maybe you’re using a different auth type?
If so, this might be of interest: Increase Kibana Timeout does not work

Hi @Mike,
We are using searchguard with basic auth and the timeout is not happening as expected.

server.name: kibana
server.host: “0”
searchguard.session.keepalive: true
searchguard.cookie.ttl: 300000
searchguard.session.ttl: 300000

I have configured cookie and session ttl as 5 min (300000ms). But after 5 min of inactivity on kibana UI, when I again try to access something on Kibana, searchguard DOES NOT prompt again for user-login and lets me access without re-login.
I am using ELK 7.0.1.
Is this the expected behaviour of kibana+searchguard?

Hi @Mike,
Did you get a chance to look at my previous comment? Any suggestions of how I can configure the session timeout?

@shivani.aggarwal2195 I did yes, and I do get logged out with those settings.

Two things come to mind:

  1. Did you perhaps enter credentials in the browser popup, e.g. when opening elasticsearch directly? Those credentials would then remain as request headers
  2. Could you open the network tab in the browser’s development tools and check if there are any requests sent in the background? Is there any polling going on that would extend the session?

Hi @Mike

  1. No, I did not access elasticsearch directly via browser.
  2. I checked the network tab as well. There are no requests in the background - I only see an entry in the network tab there when I click something on the UI.

These were my findings:
i. On the kibana UI, If i redirect between these static pages like Management, Visualization, Home pg, Dashboards, after keeping the browser inactive for the specified ttl time I am able to get the login pop-up as the session has expired and user needs to re-login.

ii. But, with the same configurations, when I stay inactive on Dev Tools pg, it does not prompt for re-login after ttl time.
Also, if I remain inactive on some static page like Managementand frrom there, if i redirect to Dev Tools pg, it doesnt prompt for re-login and lets me run queries. It then extends the session also.

Is this an expected behaviour with Dev Tools page? There is a cursor blinking on this page all the time. Could this be a reason why this session keeps extending on this page?
If this is the case, I suspect the same will happen on Discover tab as well if I enable auto-fresh.

Any comments/suggestions?

Hi @shivani.aggarwal2195

Thanks for the details, that helps!

The dev page really is a special case. We’re not always able to redirect to the login form in this case.
However, instead of a real query result, you should see a message: “Session expired”:
{
“message”: “Session expired”,
“redirectTo”: “login”
}

Could you please check if that’s the case for you? If you do see a real query result, then something is wrong.

As for switching to the Management page - if Kibana doesn’t request any data and just updates the frontend, we can’t really detect the expired session. But as soon as you click any item on that page, you should be redirected to the login page.

I will dig a bit deeper into this to see if I can make it a bit less confusing.

Hi @Mike
Thanks for the response!
Even after session ttl time, I am able to run the queries and see their proper results. It does not show me "Session expired” error. :frowning:

However, I tried configuring searchguard.session.keepalive: false. With this, I noticed, after the session ttl time, my queries give the response as shown in the below img.

Ok, this is getting strange. That you see the HTML in the response indicates that the request isn’t recognized as as an AJAX/XHR-call. Would it be possible to post a screenshot of your network requests in the developer tools?
It would be interesting to see
a) if there are any other requests going out that keeps the session alive
b) the content-type and accept headers on the request that shows the HTML in your screenshot.

These are the screenshots for the above shown error:
Please note: this is when searchguard.session.keepalive: false is configured.

When i try with searchguard.session.keepalive: true , the queries run fine even after session ttl time and I don’t get any session expired errors.

Hi @Mike,

I don’t think there are any other requests going out that keeps the session alive.
On all other pages (except Dev Tools), I see session gets expired after keeping the browser inactive for session ttl time.
But, on Dev Tools page, even after keeping the session inacitive for session ttl time, I can run queries and get proper results with no “session expired error”.

Hi @Mike,

These are my current findings wrt session ttl. Please have a look the below cases:

  1. If we are on ‘Dev tools’ pg and remain inactive for ttl time, it extends the session (as pointed by you Dev Tools pg is a special case). But after that if we click on dashboard or any other static page and remain inactive for ttl time then it does not prompt for re-login even on clicking the static pages. That means, once we visit Dev Tools pg, after that session never gets expired.

  2. If we are on Dashboard or other static page and remain inactive for ttl time, then after clicking on dev tools, when I run any queries - it doesn’t show the query result - instead it shows the html pg (as shared earlier).
    After that, if we click on Management tab, it does not prompt for relogin. After this, if we switch it to dev tools pg again, we get the error as “session expired”.

  3. If we are on dashboard or any other static page and remain inactive for ttl time, and then click on management page, it does not prompt for re-login. Then if we switch to dev tools we get the error as “session expired”.
    So, we see that, “session expired” error appears on Dev Tools only after I redirect from Management to Dev tools.

Can you have a look at these and see if this is the expected behaviour? I am concerned about Point 1 as the session-ttl functionality seems to not work at all after user accesses the Dev Tools pg.

Hi @shivani.aggarwal2195,

Thanks for the detailed information!

I think I’ve finally found the explanation to this mystery:

  1. Open the Kibana Dev Tools
  2. Open the network tab again in your browser’s dev tools and select “XHR”
  3. Most likely, every sixty seconds or so you will see 1-3 requests going out?

image

This is caused by this line in Kibana, which repeatedly requests information for the editor’s autocomplete (I think): https://github.com/elastic/kibana/blob/v7.0.1/src/legacy/core_plugins/console/public/src/mappings.js#L320

These calls only go out if at least one of the settings for “Autocomplete” is selected:

As you noted, these requests keep going out even if you switch to another app and don’t stop until the page is reloaded. Hence, the session is kept alive.

I find this behaviour a bit weird, so I’ll talk to the team about this, but hopefully this helps you for now!