Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Following cross-site links logs out current session

Description

On clicking a OpenNMS HTML link, what seem to be a new session is opened rather than continuing with the current active session. It prompts to log in to OpenNMS even though there’s already an active tab/page openend. At the same time, the current active session seems to be deactivated. Subsequently, all the active sessions are logged out. When you refresh those pages, it redirects to the login page. This behavior is observed on any OpenNMS HTML link including the pages - index, events, alarms, etc.

Reproduce

  • Write a HTML doc containing HTML links. For example,

<!doctype html> <html lang="en"> <p><a href="http://192.168.86.145:8980/opennms/"</a>Index</p> <p><a href="http://192.168.86.145:8980/opennms/alarm/detail.htm?id=1">Alarm detail</a></p> <p><a href="http://192.168.86.145:8980/opennms/event/detail.jsp?id=8">Event detail</a></p> </html>

  • While logged in to OpenNMS and have an active OpenNMS page opened in front of you, open the HTML file, click those links. It will look something like this.

  • A login page is opened rather than being redirected to the link URL.

  • Refresh the active page(s), it redirects to the login page. It’s no longer active.

  • Proceed by logging in, it doesn’t redirect to the target URL but lands on the main page/front page. The expected behavior is to redirect to the target URL once logged in.

  • Tested on Horizon 31 and Horizon 30. Horizon 30 doesn’t exhibit the session issue but it does only for the last comment about URL redirection upon logging in.

  • Another way to reproduce this is by clicking the link from MS Teams. This behavior is not observed when testing it from Mattermost.

Problem Analysis

Looks like every time the HTML link or MS Teams link is clicked, it resets the cookie with a new JSESSIONID instead of persisting the active session cookie.

Acceptance / Success Criteria

None

Attachments

1
  • 20 Jan 2023, 10:54 PM

Activity

Show:

Christian Pape March 28, 2023 at 6:31 AM

Merged.

Christian Pape March 21, 2023 at 10:31 AM

DJ Gregor January 30, 2023 at 10:35 PM

there is a somewhat similar issue with handling logins with onms-k8s-poc where the user gets a “too many redirects error” when trying to login unless they provide a full path to the login page, /opennms/login.jsp. It sounds like this is a different enough issue that I should probably create a separate issue for the login problem. I’ll do that in a little bit unless you suggest something else.

More details here: https://opennms.atlassian.net/browse/NMS-15320?focusedCommentId=70025 I suspect it might have something to do with the connection being https between the browser and the front-end reverse proxy (nginx, etc.), and is plaintext between the proxy and OpenNMS.

Jeff Gehlbach January 30, 2023 at 9:44 PM

Let’s plan to include the docs work described below in the March releases.

I’m adding all active Meridians to fix-versions, but only for Meridian 2023 does the version already exist for the March release, so we’ll end up pushing those out as we release the older Meridians and create the successor versions as part of that process. Same goes for Horizon 31.0.4.

Jeff Gehlbach January 27, 2023 at 5:33 PM
Edited

We want to ship with the most secure default configuration that is generally useful.

Let’s document the existence of this setting, its possible values, and the implications of each value. I propose putting it in the Administration section, perhaps near the subsection on External Authentication.

My comment below with the config snippet should make a good starting point. I’ve marked this issue as needs docs, and added it to the docs backlog.

Fixed

Details

Assignee

Reporter

Labels

HB Grooming Date

HB Backlog Status

Docs Needed

Yes

FD#

Doc Backlog Status

Doc Backlog Grooming Date

Sprint

Fix versions

Affects versions

Priority

PagerDuty

Created January 20, 2023 at 10:54 PM
Updated March 28, 2023 at 6:31 AM
Resolved March 28, 2023 at 6:31 AM

Flag notifications