Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Not able to set SameSite attribute of security_authentication cookie to value 'Strict' . #2132

Open
rakhinarveka1 opened this issue Oct 4, 2024 · 1 comment
Open

[BUG] Not able to set SameSite attribute of security_authentication cookie to value 'Strict' . #2132

rakhinarveka1 opened this issue Oct 4, 2024 · 1 comment
Labels
bug Something isn't working triaged

Comments

@rakhinarveka1
Copy link

What is the bug?
security_authentication cookie being set by security dashboard plugin , SameSite attribute not able to set to 'Strict'.

How can one reproduce the bug?
Steps to reproduce the behavior:
we have installed security-dashboard plugin into opensearch-dashboard. and security configuration are done through opensearch-dashboards.yml file

opensearch_security.session.ttl: 60000
opensearch_security.cookie.ttl: 60000
opensearch_security.cookie.secure: true
opensearch_security.cookie.isSameSite: "Strict"
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.enable_global: false
opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
opensearch_security.readonly_mode.roles: ["kibana_read_only"]

What is the expected behavior?
Would it be possible to set SameSite to 'Strict'

What is your host/environment?
we are using OpenSearch-Dashboard 2.11 version with compatible security-dashboard plugin version 2.11.1.0
same issue persist with OpenSearch-Dashboard 1.3.17 version with compatible security-dashboard plugin version 1.3.17.0

Do you have any screenshots?
from below image it could be seen that security_authentication cookie's SameSite attribute is not set to 'Strict'

image

Do you have any additional context?
I have compile the source code of security plugin with changes in security_cookies.ts file with below function code change, But seems its not working.

export function clearOldVersionCookieValue(config: SecurityPluginConfigType): string {
if (config.cookie.secure) {
return 'security_authentication=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; HttpOnly; Path=/; SameSite=Strict';
} else {
return 'security_authentication=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; Path=/; SameSite=Strict';
}
}
@rakhinarveka1 rakhinarveka1 added bug Something isn't working untriaged labels Oct 4, 2024
@cwperks cwperks added triaged and removed untriaged labels Oct 7, 2024
@cwperks
Copy link
Member

cwperks commented Oct 7, 2024

[Triage] Thank you for filing this issue @rakhinarveka1. Looks like a similar feature request was raised in the past and quickly closed. This looks like a good feature request. Marking this as triaged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cwperks @rakhinarveka1