Comments (9)
Hey @AnnoyingTechnology,
thanks for reporting this. Just to clarify: you are talking about the first of the two cookies (the one starting with ph_phc_
) which is problematic, while the authentication
cookie is fine?
Edit: You are explaining that already in the first sentence, sorry.
from graylog2-server.
Related: #15527
from graylog2-server.
Thanks, @coffee-squirrel! I think disabling telemetry for now is a valid workaround if the overly wide cookie domain is an issue for you.
I think we should try to fix that nonetheless, as we want users to have as little privacy/security issues as possible when deciding to send telemetry data, because it helps us improving the product (finding out if features are actually used, at which scale, which user flows can be streamlined, etc.).
The cookie is set by the Posthog client library and it looks like they are doing this (setting it to *.domain.tld
) on purpose to allow cross-domain tracking. We do not want this and it makes little sense for an on-premise product, so I hope there is a way to disable it.
from graylog2-server.
We experienced the same issue as @hydrapolic, created a separate issue since the cookie broke it for us, but the domain is irrelevant here.
Regarding the actual issue here: The top-level domain cookie does not make any sense at all, since we use graylog.<environment>.example.com
with multiple instances and these cookies would get mixed up constantly.
from graylog2-server.
if you disable telemetry globally (graylog.conf ) the cookies gets not created.
# New for 5.1 disable telemetry global for all users
telemetry_enabled = false
best regards
from graylog2-server.
Wow, that's unexpected but it checks out.
Thanks!
(still a security concern for people who don't notice and leave this enabled)
from graylog2-server.
if you disable telemetry globally (graylog.conf ) the cookies gets not created.
# New for 5.1 disable telemetry global for all users telemetry_enabled = false
best regards
Probably an other issues, but users not having telemetry disable could not connect to graylog after upgrading from 5.1 -> 5.2. Graylog is behind nginx with oauth2-proxy doing the authentication.
After setting telemetry_enabled = false
they could login again. By checking the Cookie, it was very long containing special chars, so probably the processing in graylog changed for 5.2?
from graylog2-server.
Hey @hydrapolic,
do I understand you correctly that with Graylog 5.2 you were not able to login when telemetry was enabled? What error did you see? Can you create a separate issue for this?
from graylog2-server.
Hey @hydrapolic,
do I understand you correctly that with Graylog 5.2 you were not able to login when telemetry was enabled? What error did you see? Can you create a separate issue for this?
Yes, after upgrading from Graylog 5.1 to 5.2, users were unable to login, they received error 400. My user was able to login because I had telemetry disabled previously. After setting telemetry_enabled = false
globally, users were able to login.
The only difference I saw was the cookie, mine was shorter, while the users had telemetry data in the cookie. Probably the cookie processing changed in 5.2 so that it's more stricter what to accept?
Unfortunately I don't have the logs any more, but I see no errors in the graylog log from that day, just http 400 from graylog in the nginx log.
We use oauth2-proxy with Azure for password management.
from graylog2-server.
Related Issues (20)
- Prevent saving an Event Definition with Cardinality Aggregation without field specified. HOT 1
- Should ContentPackService#listAllEntityExcerpts fail on error with single Entity?
- Changing index set defaults sometimes requires a page refresh before the change is reflected in the index set create form.
- Form modal buttons are missing a margin in some cases.
- Using "Add to query" on Search/Dashboard pages can sometimes cause the time range and search box to disappear HOT 3
- UI unusable after 5.1 > 5.2 upgrade with telemetry enabled & `oauth2-proxy` in front HOT 4
- Session does not time out on index set details page
- Shouldn't only leader node remove outdated docs from nodes collection? HOT 1
- Index Set: Default index set Loading HOT 1
- cidr_match on keys of a lookup table
- Ability for user to delete one or more "last used query strings"
- Scratchpad can be hidden completely
- Export Functionality Error in Graylog 4.3.15 with Elasticsearch Exception HOT 6
- User preferences should have the ability to be configured in ways other than manually
- Built in admin user should have the ability to change auto-completion via server.conf
- Improve handling of long running search queries on search/dashboards. HOT 3
- Race condition during index delete
- Widgets become orphaned when targeted stream is deleted and message return to default stream
- Allow read-only access to the datanode for applications such as Grafana HOT 3
- Allow two Graylog clusters to read from same Kinesis steam HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from graylog2-server.