search

moxious / triage

testing triage actions for issues
0 stars 1 forks source link

Grafana: Unable to set httponly for grafana cookie #318

Open tonypowa opened 5 months ago

tonypowa commented 5 months ago

[###]

grafana cookieext

What happened?

Unable to set httponly flag on grafana cookie, please see attachment

cookie:

grafana_session_expiry

What did you expect to happen?

all cookies are set httponly

Did this work before?

no it never worked

How do we reproduce it?

  1. open dev tools in browser

  2. load a web page

  3. verify cookie's security flags

Is the bug inside a dashboard panel?

No response

Environment (with versions)?

Grafana:10.3.1

OS: RHEL9.3 UBI

Browser: EDGE, FIREFOX

Grafana platform?

None

Datasource(s)?

No response

tonypowa commented 5 months ago

This issue is a test copy of an issue in another repo. Original issue: https://github.com/grafana/grafana/issues/#83810

moxious commented 5 months ago

Summary: Issue #318 is open, authored by tonypowa, concerning the inability to set the 'httponly' flag for a Grafana cookie named 'grafana_session_expiry', which poses a security concern. The issue persists on Grafana version 10.3.1 running on RHEL9.3 UBI and is reproducible across multiple browsers.

moxious commented 5 months ago

Elaboration:

Hello @tonypowa, thank you for bringing this to our attention. In order to help us dig deeper into the issue with the httponly flag for Grafana cookies, we'll need some additional details. Could you please provide the following information to assist us in identifying the problem more precisely?

  1. In the steps to reproduce the issue, could you specify the exact URL or type of web page (if possible, a public endpoint) you are loading when you observe the cookie security flags?
  2. Can you confirm whether you are using the standard installation of Grafana or if you've applied any custom configurations or proxies that might intercept or alter HTTP headers?
  3. Have you altered any settings in grafana.ini or environment variables that pertain to session cookies or security?
  4. It appears that the linked screenshot did not load correctly. Could you please re-upload the image or provide a clear step-by-step description of what you're seeing in the dev tools?
  5. Lastly, if you have attempted any workarounds or solutions to try to force the httponly flag, such as custom middleware or headers, please share those attempts as well.

The more detailed information you can provide, the better we can understand the context and specifics of the issue. Thanks!

moxious commented 5 months ago

Hi @tonypowa,

Thanks for reporting this. It seems like your issue is related to security and configuration settings of Grafana itself. I believe this issue would be best suited for the Backend Platform project. The team in charge of backend development can look into the cookie configuration problem and provide the necessary fix or guidance.

Please expect a follow-up from the appropriate team soon. Meanwhile, you may also explore the Grafana documentation on session and authentication settings, in case there are any configurable options that could help.

Best regards, The Grafana Team