Modern browsers fail to login with HTTP-only dashboards

[phvalguima]

Modern browsers, in my case, both:

• Mozilla Firefox 131.0.2
• Google Chrome 128.0.6613.119

Result in opensearch-dashboards never leaving the login page when running with HTTP only.

There is nothing relevant in the logs, besides:

{"type":"response","@timestamp":"2024-11-05T14:42:30Z","tags":[],"pid":5161,"method":"post","statusCode":401,"req":{"url":"/api/ism/accountInfo","method":"post","headers":{"host":"10.235.113.227:5601","user-agent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:131.0
) Gecko/20100101 Firefox/131.0","accept":"*/*","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","referer":"http://10.235.113.227:5601/app/login?","content-type":"application/json","osd-version":"2.17.0","osd-xsrf":"osd-fetch","content-length":"82","origin":"http://10.235.113.227:5601","dnt":"1","connection":"keep-alive","priority":"u=4"},"remoteAddress":"10.235.113.1","userAgent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:131.0) Gecko/20100101 Firefox/131.0","referer":"http://10.235.113.227:5601/app/
login?"},"res":{"statusCode":401,"responseTime":3,"contentLength":9},"message":"POST /api/ism/accountInfo 401 3ms - 9.0B"}

Looking closer with Firefox's dev tools, I can see a console error thou:

Cookie “security_authentication” has been rejected because a non-HTTPS cookie can’t be set as “secure”.

So, I believe we are missing to submit a token due to modern browsers' security restrictions and that causes the server to issue a 401 Unauthorized.

My recommendation is to deprecate HTTP and support only HTTPS moving forward.

[syncronize-issues-to-jira[bot]]

Thank you for reporting us your feedback!

The internal ticket has been created: https://warthogs.atlassian.net/browse/DPE-5909.

This message was autogenerated

[phvalguima]

Relating opensearch-dashboards with TLS operator resolves the issue, even for self-signed-certificates charm.