[Security] logging into one Kibana instance logs me out of all the others

[drewdaemon]

Describe the bug:

Steps to reproduce:

1. Run two instances of Kibana on your computer using yarn start (different ports can be configured with server.port in kibana.yml)
2. Make sure no base path is set in kibana.yml (server.basepath should be missing!)
3. Log into Kibana 1
4. Log into Kibana 2

Result: you're logged out of Kibana 1.

Server log:

[2024-07-26T09:56:19.902-06:00][DEBUG][plugins.security.session.cookie] Outdated session value with path "/"

It appears to fail this validation: https://github.com/elastic/kibana/blob/3ae4111a77bc558c478e42da0e6803a901ec27c9/x-pack/plugins/security/server/session_management/session_cookie.ts#L91-L101

If the base paths are explicitly set in kibana.yml, the problem isn't present.

[elasticmachine]

Pinging @elastic/kibana-security (Team:Security)

[azasypkin]

Hey @drewdaemon, thanks for filing the issue! I believe what you're experiencing is described in https://github.com/elastic/kibana/issues/83914 (see Multi-tenancy using the same host name, but different ports). If so, then everything is working as intended, even though it’s definitely confusing (HTTP state spec 🤷). If you'd like to run multiple Kibanas on the same host, you'll need to use different cookies. Here's an example if you'd like to run multiple Kibana instances locally on different ports:

# Terminal #1
yarn start (implies `--server.port=5601 --dev.basePathProxyTarget=5603 --xpack.security.cookieName=sid`)

# Terminal #2
yarn start --server.port=5701 --dev.basePathProxyTarget=5703 --xpack.security.cookieName=sid7

I'm closing the issue, but feel free to re-open it if my guess is wrong.

[drewdaemon]

Okay, thanks for checking @azasypkin !