Hi! The string e6c12bace0608a422bf03954086e4d0a2ec64e7396a95871af55d986d3c7517968aadfc203975fdc8433e824533229dd is what you want to decrypt. Use the first 16 characters from the application.secret (play uses only 16 char keys for AES private key input) and use AES/ECB/PKCS5Padding. The content of cleartext will be username<tab>session-id. The session id can then be used for REST calls against the servers (as long as that session did not expire, of course). The code for decrypting is https://github.com/Graylog2/graylog2-web-interface/blob/0.20/app/models/UserService.java#L129-129
The session-id value in the cookie should not change, but other fields might, of course. Best, Kay On Friday, February 21, 2014 11:30:43 AM UTC+1, Егор Морозов wrote: > > Hi! > > I've tried doing this, but still have no success :) > That's what I have in cookie: > > "bbf13a266d32aef6f89fb35f250db77d15f04516-sessionid=e6c12bace0608a422bf03954086e4d0a2ec64e7396a95871af55d986d3c7517968aadfc203975fdc8433e824533229dd" > If I correctly understood the code, first part is username<tab>password, > second is username<tab>session-id, but both parts are different all the > times (that shouldn't happen because login/password are static). > I've tried to decode one of these strings using AES/ECB/PKCS5Padding, but > wasn't able to get anything useful. So I wonder if there's any other random > symbols are included in the cookie and what should be the AES method > exactly? > > Thanks! > > On Friday, January 24, 2014 1:02:55 PM UTC+2, Kay Röpke wrote: >> >> Hi! Sorry for the delay. >> >> You could do the same as the web interface does when logging a user in, >> which is a POST to the /system/sessions resource in the graylog2 server. >> That will return a session id and a validity timestamp (this is currently >> fixed to 8 hours). >> >> The web interface will then take the username and session-id, catenate >> them with a tab character and AES encrypt them to yield the final cookie >> field called sessionid. >> Which means that in order to write the cookie you need to have the >> application.secret of the web interface as well as the user credentials. >> >> The server also supports generating access tokens, even though it's not >> document anywhere yet, but the web interface only relies on the cookie >> method described above. >> The underlying problem is that you need to set up authentication state in >> two separate applications, so I think this would get tricky and can break >> easily whenever our code changes. >> >> Best, >> Kay >> >> >> On Wednesday, January 22, 2014 2:09:31 PM UTC+1, Егор Морозов wrote: >>> >>> Thanks for the information. >>> >>> So what about the cookie generation? We have one page that authenticates >>> the users in Atlassian products by generating a cookie, I think that it >>> should be possible to do the same with Graylog2. >>> >>> On Wednesday, January 22, 2014 12:44:15 PM UTC+2, Kay Röpke wrote: >>>> >>>> Hi! >>>> >>>> Graylog2 0.20 web interface currently only supports authenticating via >>>> username/password and after that relies on its own session cookie to >>>> authenticate against the graylog2 servers. >>>> To support client certificates we would need add that as an >>>> authentication mechanism. In fact we have received one or two questions >>>> about allowing certificates to be used for authentication, but so far this >>>> has been low priority, to be honest. >>>> >>>> For this to work sensibly and securely, we would need to support some >>>> kind of certificate management for all the connections between the user, >>>> web interface process and graylog2 server (as well as mongodb which stores >>>> the user's data and session information). That was well beyond the scope >>>> of >>>> this release, so we decided to not support it for now. >>>> >>>> If you need this feature, could you please file an issue over at >>>> github: >>>> https://github.com/Graylog2/graylog2-web-interface/issues?milestone=&state=open? >>>> >>>> BTW, it wouldn't be as easy as in the 0.1x versions, because starting >>>> in 0.20 the server authenticates all requests, too, and it has no >>>> knowledge >>>> about the first proxy server. >>>> >>>> Thanks, >>>> Kay >>>> >>>> >>>> On Wednesday, January 22, 2014 10:47:33 AM UTC+1, Егор Морозов wrote: >>>>> >>>>> Hello everyone! >>>>> >>>>> We've been using Graylog2 0.1x for a long time, it was simple enough >>>>> to patch it and make using SSL_CLIENT_S_DN_CN Apache env variable. As now >>>>> it's powered using a binary, this is much more painful to do the same so >>>>> I >>>>> wonder if it's somehow possible to make it use any of the variables >>>>> passed >>>>> by a proxy (nginx/Apache) to authenticate the user. >>>>> >>>>> Alternative approach that I can see is to generate the cookie using >>>>> perl or php script, but as I have no experience with Java, I can't really >>>>> understand how to generate the same cookie (like graylog2-web does). >>>>> Could >>>>> someone describe this? >>>>> >>>>> Thanks! >>>>> >>>> -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
