New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Client IP refreshes only on logout #2656

Open
hc4 opened this Issue Aug 10, 2016 · 7 comments

Comments

Projects
None yet
4 participants
@hc4
Contributor

hc4 commented Aug 10, 2016

I have SSO enabled and graylog behind reverse proxy.
The problem could be tested on Users page.

  1. Open Users page - correct IP displayed for current user
  2. Remove all trusted_proxies from graylog config and restart graylog
  3. Users page still shows old user IP (but should be proxy ip)
  4. Click "Log out"
  5. User logs in automaticaly (thanks to SSO plugin)
  6. Now proxy IP displayed as client ip for relogged user.
  7. Return trusted proxies to config and restart graylog.
  8. Again correct client IP will be displayed only after relogging

Your Environment

  • Graylog Version: 2.1.0-beta3 snapshot
@kroepke

This comment has been minimized.

Member

kroepke commented Aug 10, 2016

Weird, apparently not all session attributes are being updated when the session is validated. I'll investigate.

@kroepke kroepke added the bug label Aug 10, 2016

@kroepke kroepke added this to the 2.1.0 milestone Aug 10, 2016

@hc4 hc4 changed the title from Client IP get refreshes only on logout to Client IP refreshes only on logout Aug 10, 2016

@hc4

This comment has been minimized.

Contributor

hc4 commented Aug 11, 2016

Also strange things happens with last activity.
I have user, for which last activity was displayed "4 months ago".
Then he logged in using SSO, and last activity became "few seconds ago".
But after he closed browser, last activity was again "4 months ago"

@kroepke kroepke self-assigned this Aug 12, 2016

@kroepke

This comment has been minimized.

Member

kroepke commented Aug 12, 2016

@hc4 A user can have multiple sessions, for display purposes we get the latest one.
The user is probably configured so that their sessions never time out.
Also note that old sessions do not have their host stored with them, so previously existing sessions won't show the client IP.

@hc4

This comment has been minimized.

Contributor

hc4 commented Aug 12, 2016

I've disabled option "session never expires", but this 4 months ago session still there :)
Also I think session should be validated against client ip.
i.e. You shouldn't be able to connect from another host with same session id.

And how can I clear all user's sessions?

@hc4

This comment has been minimized.

Contributor

hc4 commented Aug 12, 2016

http://graylog/system/sessions shows only my session (despite I'm admin)
Can I see all sessions on server using REST API?

@bernd bernd added S3 P2 labels Aug 15, 2016

@kroepke

This comment has been minimized.

Member

kroepke commented Aug 15, 2016

That is currently not implemented, no. It was meant to be in #2551 but that didn't make it into 2.1

@kroepke

This comment has been minimized.

Member

kroepke commented Aug 15, 2016

Closer inspection of the framework code showed that this use case is not supported directly.
The session only saves the host where it was originally initiated from, not the current one. I suppose the intention was to be able to find sessions that were created from a different source than is currently being used.

We would need to save the current host differently, but that is out of scope for 2.1.

I'll leave it open so we can integrate it with #2551 and instead change the wording to make it clear that this is not the current host.

@kroepke kroepke modified the milestones: 2.2.0, 2.1.0 Aug 16, 2016

@kroepke kroepke added severe triaged and removed severe triaged labels Sep 21, 2016

@joschi joschi removed P2 S3 severe labels Jan 4, 2017

@joschi joschi removed this from the 2.2.0 milestone Jan 4, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment