Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to automatically login using Remember Me option #4705

Closed
bcoory opened this issue Apr 13, 2022 · 42 comments
Closed

Unable to automatically login using Remember Me option #4705

bcoory opened this issue Apr 13, 2022 · 42 comments
Labels
bug Undesired behaviour confirmed Bug is confirm by dev team resolved A fixed issue
Milestone

Comments

@bcoory
Copy link

bcoory commented Apr 13, 2022

Describe the bug

After upgrading to 1.2.20 from 1.2.19 I cannot get the remember me function to work after closing the browser. Tried on multiple browsers same issue.

Confirmed Support Authentication Cookies is enabled.

Cleared all cookies and cache from browser.

Cookie info in broswer says it Expires When the browsing session ends.

Rolled back to 1.2.19 to test and works as expected.

Issue occurs with both local and LDAP login.

Single Cacti instance - Tried modifying cacti_session_name with no luck.

cacti_cookie_domain is commented out. I also tried enabling this with our Cacti FQDN with no luck.

To Reproduce

Upgrade and login ticking "Keep me signed in". Save password when prompted by browser. Then close browser and go to cacti site.

Expected behavior

Bypass login page once "Keep me signed in" is ticked.

Desktop (please complete the following information)

  • OS: Windows 10 Pro 21H2

  • Browser: Latest Chrome, Edge and Firefox

  • Version [e.g. 22] Chrome- 100.0.4896.75 Edge- 00.0.1185.39 Firefox- 99.01

@bcoory bcoory added bug Undesired behaviour unverified Some days we don't have a clue labels Apr 13, 2022
@TheWitness
Copy link
Member

This is duplicate. Try updating to the latest 1.2.x branch and see if the problem goes away.

@TheWitness
Copy link
Member

Another note is that we did a change to the Remember Me support. After you grab the latest goto your User Profile and press the logout everywhere button. If you want to do that for everyone, you simply have to TRUNCATE TABLE user_auth_cache;. There was a bug prior to 1.2.20 where the tokens were not realm away, say LDAP or Local. So, that was added to the user_auth_cache table.

@bcoory
Copy link
Author

bcoory commented Apr 14, 2022

I have just tried updating to the latest 1.2.x branch and using the "Log out everywhere" button. Still having the same issue.

@TheWitness
Copy link
Member

What auth method are you using?

@bcoory
Copy link
Author

bcoory commented Apr 14, 2022

LDAP. But i get the same issue using a local account.

@TheWitness
Copy link
Member

Then, you must not be on the latest or there is some other reason. Did you truncate the table? That might fix it.

@TheWitness
Copy link
Member

I see the issue, yea, just truncate the table.

@bcoory
Copy link
Author

bcoory commented Apr 14, 2022

Definitely on the latest. I checked the table before truncating and it was empty. After that I tried logging in using both a local and AD account and ticking remember but nothing is written to the table.

@TheWitness
Copy link
Member

Well that's odd. I can not reproduce. Can you check your browsers debug panel to see if the cookie is being rejected? Are you using https?

@bcoory
Copy link
Author

bcoory commented Apr 14, 2022

Cookie is there - Using http only

@TheWitness
Copy link
Member

Okay, that might be it. Let me see if I can reproduce that way.

@bcoory
Copy link
Author

bcoory commented Apr 14, 2022

I just tried https, same problem. Nothing in the table yet either. Deleted cookie and it gets recreated ok.

@TheWitness
Copy link
Member

It's http that's breaking it. On https it's working fine. Let me look into that. I've been using https for so long as it's where just about everyone is these days.

@TheWitness TheWitness added confirmed Bug is confirm by dev team and removed unverified Some days we don't have a clue labels Apr 14, 2022
@TheWitness TheWitness added this to the v1.2.21 milestone Apr 14, 2022
TheWitness added a commit that referenced this issue Apr 14, 2022
- Browsers to begin rejecting CactiTimeZone and CactiDateTime cookies due to SameSite Requirements
- Remember me not working after upgrade to 1.2.20 from 1.2.19
@TheWitness
Copy link
Member

Okay, pull a fresh copy and then remove your cookies before you try again (just in case).

@TheWitness TheWitness added the resolved A fixed issue label Apr 14, 2022
@bcoory
Copy link
Author

bcoory commented Apr 14, 2022

Odd. Still having the same issue with both http and https after the changes.

@TheWitness
Copy link
Member

What PHP version?

@TheWitness
Copy link
Member

Using Firefox, you should be able to open the debug window, goto Storage, drill into cookie storage and your view should look like the following. Not the columns that I've highlighted. For this to work 'correctly' you need to be at PHP7.3++

image

@TheWitness
Copy link
Member

If they are not as specified, and you are at PHP7.3+, then delete them one at a time and start over.

@bcoory
Copy link
Author

bcoory commented Apr 14, 2022

Running PHP7.4. I am running FPM with apache. Will try without FPM also

@bcoory
Copy link
Author

bcoory commented Apr 16, 2022

It seems the cacti_remembers cookie is not being created. Happening for me in all browsers. HTTP and HTTPS.

image

@TheWitness
Copy link
Member

It may seem to be a stupid question, but it is enabled right? I'm totally unable to reproduce.

image

@batman978
Copy link

Hello, I can confirm this is happening for me too - Firefox and Edge. I don't see 'cacti_rememebers' cookie being created.
I upgraded 1.2.19 to 1.2.20 using PHP 7.4.3 on Ubuntu 20.04. My desktop is Windows 10 Enterprise 21H2

@batman978
Copy link

Ahh ... "logout everywhere" worked for me. Sorry I missed that higher in the thread.
I only did it for my account, I didn't do it against the user_auth_cache table.

@bcoory
Copy link
Author

bcoory commented Apr 19, 2022

It may seem to be a stupid question, but it is enabled right? I'm totally unable to reproduce.

image

Yes, definitely turned on.

I cannot see any errors in the the console showing the cookie being rejected.

@TheWitness
Copy link
Member

@batman978, did you update to the 1.2.x branch? Are you using http or https?

@TheWitness
Copy link
Member

@bcoory, what you need to do it goto the login page, bring up the debug panel, and then the network tab, and watch the request and response headers. See below.

KeepMeSignedIn

@bcoory
Copy link
Author

bcoory commented Apr 20, 2022

There seems to be no response cookie.

Cacti.mov

@TheWitness
Copy link
Member

TheWitness commented Apr 20, 2022

That really helped. Login, goto Console > Configuration > Settings > Authentication and make your Guest Account something other than admin.

@TheWitness
Copy link
Member

I guess we should be blocking the admin account from being a guest account.

@TheWitness
Copy link
Member

Logged this bug as a result of the finding. Thanks!

#4731

@bcoory
Copy link
Author

bcoory commented Apr 20, 2022

I currently have no guest account. Only one local "admin" account and 2 LDAP users.

image

@TheWitness
Copy link
Member

Okay, that's odd. Modify auth_login.php as like below, then post what shows up in the log when you login.

image

@TheWitness
Copy link
Member

Starts at line 201.

@bcoory
Copy link
Author

bcoory commented Apr 20, 2022

Results below. Tried both local and LDAP.

2022/04/21 08:39:42 - AUTH Username error, not setting token
2022/04/21 08:39:42 - AUTH LOGIN: User 'admin' authenticated
2022/04/21 08:39:05 - AUTH Username error, not setting token
2022/04/21 08:39:05 - AUTH LOGIN: User 'bcoory' authenticated
2022/04/21 08:39:05 - AUTH LOGIN: LDAP User 'bcoory' Authenticated
2022/04/21 08:39:05 - AUTH LDAP_SEARCH: Authentication Success,

@TheWitness
Copy link
Member

Are you running any plugins? I'm betting we have a name space collision.

@TheWitness
Copy link
Member

Or it could be you simply need to go to the Console > Configuration > Settings > Authentication page and set a guest account, hit save, and then try to login again.

@TheWitness
Copy link
Member

It's not a namespace issue though after looking at the error.

@bcoory
Copy link
Author

bcoory commented Apr 20, 2022

I created a guest account and assigned it on Console > Configuration > Settings > Authentication. Now it is working.

I have never had a guest account in the past.

@TheWitness
Copy link
Member

It's kind of crazy. Likely what happened before, is that it was set that way, and you never realized it. It's good you have it set now as your Cacti basically had some areas that if a user went to it were basically unsecured. This is why we prevented the 'guest' account, moving forward from being the primary admin account. I guess what we missed in the upgrade was 'fixing' it if we found it. Glad it's working for you now.

@bcoory
Copy link
Author

bcoory commented Apr 21, 2022

Many thanks! It looks like I can disable the guest account and remember me is still working.

@netniV netniV changed the title Remember me not working after upgrade to 1.2.20 from 1.2.19 Unable to automatically login using Remember Me option May 15, 2022
@KnoAll
Copy link

KnoAll commented Jun 16, 2022

I'm running into a similar issue. I've followed through some of the troubleshooting on this page.
Running v1.2.21 on PHP 7.3.x and 7.4.x. on two different systems both with this issue.
I'm running local realm on HTTP only.
I've checked that Support Auth Cookies is enabled.
Ran a login with the debug/network/cookies, and do not see any response cookies entries.
I have a guest account on both systems, but don't use it/ it is not enabled.
Any help would be appreciated, happy to provide additional info as needed.

@TheWitness
Copy link
Member

@netniV just recently fixed it. You are safe to just pull 1.2.x, or you can cherry pick from @netniV's commit.

@github-actions github-actions bot locked and limited conversation to collaborators Nov 29, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug Undesired behaviour confirmed Bug is confirm by dev team resolved A fixed issue
Projects
None yet
Development

No branches or pull requests

4 participants