Closed evan-chaney closed 2 years ago
Hi @evan-chaney,
Unfortunately, this behavior comes from the browser's cache.
This StackOverflow question details more about this.
We can create a parameter for cacheTimeout
and read these headers:
X-Forwarded-Host:[whoami.localhost]
X-Forwarded-Port:[80]
X-Forwarded-Proto:[HTTP]
to create a 302 redirect
in the format: X-Forwarded-Proto://logout@X-Forwarded-Host:X-Forwarded-Port that will force the browser to request password again.
Better than this, we already have a RequireAuth
method that requests the user to authenticate again:
Just need to validate the cacheTimeout
.
Hello, @evan-chaney
I created a new branch add-session
, could you test this and report if there is any problem?
The CacheTimeout
config param is set to 300s
by default, but you can change it to fit your needs.
With this, only one request will be made to LDAP
server while the session is valid.
Hello @wiltonsr,
First off thanks for your quick work, this is great stuff! I'm running Traefik in Docker stack and I don't think I can specify a branch for the plugin, only tags. Any chance you could tag the branch or otherwise have it show up as a version on plugins.traefik.io?
I created v0.0.18-beta
.
Just wait for refresh on plugins.traefik.io
Ok I got a chance to play with this at work this morning. It seems awesome! No problems over here and things may even be faster. Thanks for your extremely quick response and turnaround!
Glad to know.
I will improve this feature, cause we only read the session cookie
, I need to add some level of cryptography to prevent fake/malicious requests to be validated.
For now, you could keep using the v0.0.18-beta release.
I have a Kibana server behind Traefik (v2.9.1) with the ldapAuth plugin (v0.0.17) and I can see 14 authentication requests via the ldapAuth logs just by accessing / on the server. The browser seems to cache the credentials, or perhaps that is happening in ldapAuth but it does show 14 requests being sent to my LDAP server and all of them are authenticated successfully. This isn't a fail-and-retry scenario. I was able to replicate this with a simpler web service just by refreshing the page it authenticates against LDAP in the log even though I don't get a credential prompt in the browser. Is there some way to cache an authentication for an hour or any other configurable amount of time?