icingaweb2 icon indicating copy to clipboard operation
icingaweb2 copied to clipboard
verified publisher icon Icinga

[dev.icinga.com #12166] Logout doesn't work when done via client certs

Open icinga-migration opened this issue 9 years ago • 2 comments

This issue has been migrated from Redmine: https://dev.icinga.com/issues/12166

Created by calestyo on 2016-07-16 23:04:52 +00:00

Assignee: (none) Status: New Target Version: Backlog Last Update: 2016-10-04 11:52:01 +00:00 (in Redmine)

Hey.

When the authentication is done via HTTP Basic Auth, but this is itself actually done via X509 client certs (SSLOptions +fakeBasicAuth), then logout doesn't work. I'd guess this is simply because the browser again authenticates with the chosen client cert on the next request, and HTTP Basic Auth is automatically performed. There is actually a reason for that, e.g. when having multiple client certs, which result in different roles (e.g. one admin, the other not) in one browser.

It would be nice if logout could be made working with that case as well, though to be honest, I have no idea how this actually can be done and whether it would be portable amongst browsers. There are some stackoverflow questions that seem to answer the issue more or less: https://stackoverflow.com/questions/9724489/clear-ssl-client-certificate-state-from-javascript https://stackoverflow.com/questions/10487205/https-client-certificate-logout-relogin

So on logout, Icinga Web should call the functions of the browsers to clear the SSL client cert session. I think it should do that generally, i.e. not trying to be smartass and only do that if it's believed that login was made via certificate... there is not really a reliable way to do so, I think. Especially there are no guarantees that the REMOTE_USER/REDIRECT_REMOTE_USER env vars, have the typicall strings like DN= of certificate users.

Cheers, Chris

icinga-migration avatar Jul 16 '16 23:07 icinga-migration

Updated by elippmann on 2016-10-04 11:52:02 +00:00

  • Subject changed from logout doesn't work when doen via client certs to Logout doesn't work when done via client certs
  • Category set to Authentication & Authorization
  • Target Version set to Backlog

icinga-migration avatar Oct 04 '16 11:10 icinga-migration

the functions of the browsers to clear the SSL client cert session

@calestyo I'm afraid they're gone: https://bugzilla.mozilla.org/show_bug.cgi?id=1225487

Al2Klimov avatar Apr 29 '25 11:04 Al2Klimov