search

OpenCTI-Platform / opencti

Open Cyber Threat Intelligence Platform
https://opencti.io
Other
6.2k stars 919 forks source link

User not logged out when session is expires #7512

Closed animedbz16 closed 2 months ago

animedbz16 commented 3 months ago

Description

We have configured OpenCTI with OpenID Connect SSO provided by Microsoft ADFS, we have noticed that after the default 20 minutes for a session to timeout that the user is not logged out. We enabled the APP__SESSION_IDLE_TIMEOUT to ensure that a dialog is presented to the user, but it appears that if no intervention is made to extend the session that the frontend appliation will attempt to make a request to /logout

This request gets routed to the following code:

https://github.com/OpenCTI-Platform/opencti/blob/f0ed94129c1dafb0040bed13b51ab98d2d9b5213/opencti-platform/opencti-graphql/src/http/httpPlatform.js#L316C7-L317C18

The user object is attempted to be accessed from the req.session, however, when you inspect the value of user this is undefined because the session has already expired.

If there is no user object, then none of the code is run and nothing is returned and thus nothing is ever returned to the front end and so the frontend continues to show that the network request to /logout is pending.

The dialog ultimately closes, the page is never routed away and thus if a user was idle and came back to their computer, they would still see the OpenCTI user interface, then attempt to do something and then when making a request the backend would see there is no user or they are unautheniticated and then the UI would navigate to the login page. This can pose a problem if someone was updating various data, then click save / update only to realize that they are not logged in and they lose what they had typed.

We have also noticed this issue exists when we configure authentication with LDAP as well.

Environment

  1. OS (where OpenCTI server runs): Docker
  2. OpenCTI version: 6.1.12
  3. OpenCTI client:
  4. Other environment details:

Reproducible Steps

Steps to create the smallest reproducible scenario:

  1. Configure small values for APP__SESSION_TIMEOUT (e.g. 5 minutes) and APP__SESSION_IDLE_TIMEOUT (e.g. 4 minutes) and start OpenCTI
  2. Login to OpenCTI
  3. Open Browser Developer Tools and view Network requests / traffic
  4. Wait until SESSION_IDLE_TIMEOUT dialog is displayed and counting down letting it hit 0
  5. UI makes a request to /logout, but this request never receives a response
  6. Dialog box closes and user continues to be able to view the last page they were on

Expected Output

The user should be logged out and then navigated to the /login page

Actual Output

The user is not logged in and continues to be able to view the last page they were on.

Additional information

Screenshots (optional)

https://github.com/OpenCTI-Platform/opencti/assets/2822632/fdc98ffc-c163-4222-8f0c-ad89aa0f77bc

romain-filigran commented 3 months ago

@richard-julien : What do you think about this ?

richard-julien commented 3 months ago

We need to try to reproduce. Logout should of course return, something since broken.

animedbz16 commented 3 months ago

I will also note that the default reason why the request does not time out seems to be due to the default value of APP__REQUEST_TIMEOUT is 20 minutes. This value is passed to the node httpServer

https://github.com/OpenCTI-Platform/opencti/blob/3355b5fb543e997db21f88e3e8374d392eff5113/opencti-platform/opencti-graphql/src/http/httpServer.js#L42

Looking at node, they set a default for this to be 2 minutes which seems way more reasonable.

https://nodejs.org/api/https.html#serversettimeoutmsecs-callback image

I'm not sure why OpenCTI would want to keep requests pending for up to 20 minutes in nature, but figured I would share this feedback as well.

Kedae commented 3 months ago

Locally I'm missing a user in the session when asking for logout, I'll check.