Open tonypowa opened 5 months ago
This issue is a test copy of an issue in another repo. Original issue: https://github.com/grafana/grafana/issues/#83810
Summary: Issue #318 is open, authored by tonypowa, concerning the inability to set the 'httponly' flag for a Grafana cookie named 'grafana_session_expiry', which poses a security concern. The issue persists on Grafana version 10.3.1 running on RHEL9.3 UBI and is reproducible across multiple browsers.
Elaboration:
Hello @tonypowa, thank you for bringing this to our attention. In order to help us dig deeper into the issue with the httponly
flag for Grafana cookies, we'll need some additional details. Could you please provide the following information to assist us in identifying the problem more precisely?
grafana.ini
or environment variables that pertain to session cookies or security?httponly
flag, such as custom middleware or headers, please share those attempts as well.The more detailed information you can provide, the better we can understand the context and specifics of the issue. Thanks!
Hi @tonypowa,
Thanks for reporting this. It seems like your issue is related to security and configuration settings of Grafana itself. I believe this issue would be best suited for the Backend Platform project. The team in charge of backend development can look into the cookie configuration problem and provide the necessary fix or guidance.
Please expect a follow-up from the appropriate team soon. Meanwhile, you may also explore the Grafana documentation on session and authentication settings, in case there are any configurable options that could help.
Best regards, The Grafana Team
[###]
What happened?
Unable to set httponly flag on grafana cookie, please see attachment
cookie:
grafana_session_expiry
What did you expect to happen?
all cookies are set httponly
Did this work before?
no it never worked
How do we reproduce it?
open dev tools in browser
load a web page
verify cookie's security flags
Is the bug inside a dashboard panel?
No response
Environment (with versions)?
Grafana:10.3.1
OS: RHEL9.3 UBI
Browser: EDGE, FIREFOX
Grafana platform?
None
Datasource(s)?
No response