Hi! I've tried doing this, but still have no success :) That's what I have in cookie: "bbf13a266d32aef6f89fb35f250db77d15f04516-sessionid=e6c12bace0608a422bf03954086e4d0a2ec64e7396a95871af55d986d3c7517968aadfc203975fdc8433e824533229dd" If I correctly understood the code, first part is username<tab>password, second is username<tab>session-id, but both parts are different all the times (that shouldn't happen because login/password are static). I've tried to decode one of these strings using AES/ECB/PKCS5Padding, but wasn't able to get anything useful. So I wonder if there's any other random symbols are included in the cookie and what should be the AES method exactly?
Thanks! On Friday, January 24, 2014 1:02:55 PM UTC+2, Kay Röpke wrote: > > Hi! Sorry for the delay. > > You could do the same as the web interface does when logging a user in, > which is a POST to the /system/sessions resource in the graylog2 server. > That will return a session id and a validity timestamp (this is currently > fixed to 8 hours). > > The web interface will then take the username and session-id, catenate > them with a tab character and AES encrypt them to yield the final cookie > field called sessionid. > Which means that in order to write the cookie you need to have the > application.secret of the web interface as well as the user credentials. > > The server also supports generating access tokens, even though it's not > document anywhere yet, but the web interface only relies on the cookie > method described above. > The underlying problem is that you need to set up authentication state in > two separate applications, so I think this would get tricky and can break > easily whenever our code changes. > > Best, > Kay > > > On Wednesday, January 22, 2014 2:09:31 PM UTC+1, Егор Морозов wrote: >> >> Thanks for the information. >> >> So what about the cookie generation? We have one page that authenticates >> the users in Atlassian products by generating a cookie, I think that it >> should be possible to do the same with Graylog2. >> >> On Wednesday, January 22, 2014 12:44:15 PM UTC+2, Kay Röpke wrote: >>> >>> Hi! >>> >>> Graylog2 0.20 web interface currently only supports authenticating via >>> username/password and after that relies on its own session cookie to >>> authenticate against the graylog2 servers. >>> To support client certificates we would need add that as an >>> authentication mechanism. In fact we have received one or two questions >>> about allowing certificates to be used for authentication, but so far this >>> has been low priority, to be honest. >>> >>> For this to work sensibly and securely, we would need to support some >>> kind of certificate management for all the connections between the user, >>> web interface process and graylog2 server (as well as mongodb which stores >>> the user's data and session information). That was well beyond the scope of >>> this release, so we decided to not support it for now. >>> >>> If you need this feature, could you please file an issue over at github: >>> https://github.com/Graylog2/graylog2-web-interface/issues?milestone=&state=open? >>> >>> BTW, it wouldn't be as easy as in the 0.1x versions, because starting in >>> 0.20 the server authenticates all requests, too, and it has no knowledge >>> about the first proxy server. >>> >>> Thanks, >>> Kay >>> >>> >>> On Wednesday, January 22, 2014 10:47:33 AM UTC+1, Егор Морозов wrote: >>>> >>>> Hello everyone! >>>> >>>> We've been using Graylog2 0.1x for a long time, it was simple enough to >>>> patch it and make using SSL_CLIENT_S_DN_CN Apache env variable. As now >>>> it's >>>> powered using a binary, this is much more painful to do the same so I >>>> wonder if it's somehow possible to make it use any of the variables passed >>>> by a proxy (nginx/Apache) to authenticate the user. >>>> >>>> Alternative approach that I can see is to generate the cookie using >>>> perl or php script, but as I have no experience with Java, I can't really >>>> understand how to generate the same cookie (like graylog2-web does). Could >>>> someone describe this? >>>> >>>> Thanks! >>>> >>> -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
