diff options
author | Paul Fertser <fercerpav@gmail.com> | 2024-06-12 22:28:47 +0300 |
---|---|---|
committer | Ed Tanous <ed@tanous.net> | 2024-07-11 19:57:50 +0300 |
commit | 29aab242f2d35891bd808e057e33b328989836d3 (patch) | |
tree | e2b5b8b22f7dfc81b4b10cfb75e13851c9125e26 /redfish-core/lib | |
parent | ca89b200406e16a47195e132f2e47a1d2b9879c3 (diff) | |
download | bmcweb-29aab242f2d35891bd808e057e33b328989836d3.tar.xz |
Send cookies to webui-vue from Sessions POST
Using Redfish-standard X-Auth-Token authentication is less secure
(against injected JS code) compared to an HttpOnly (not available to the
JS VM) SESSION cookie. Currently webui-vue authenticates connections to
WebSocket URIs not only by a JS-accessible token (passed as subprotocol
when upgrading to WS) but also via a SESSION cookie (even though it is
not subject to CORS policy).
To allow WebSocket-based functionality (IP KVM, SOL, VM) after creating
a Session object send a set of cookies instead of the X-Auth-Token
header if the request was made by webui-vue (detected by presence of
"X-Requested-With" header).
Factor out cookie setting and clearing functions and use explicit Path=/
attribute as the cookies are valid for the whole server, not just the
path of the endpoint they were created by.
Not specifying Path was functional for /login endpoint because
https://www.rfc-editor.org/rfc/rfc6265#section-5.3 point 7 for this case
says "set the cookie's path to the default-path of the request-uri" and
https://www.rfc-editor.org/rfc/rfc6265#section-5.1.4 tells how to
compute the default path. Basically, it was a "happy coincidence" that
/login defaults to / for the Path, if it was /openbmc/login then the
cookies would have been set to Path=/openbmc and not work at all for
/redfish/v1 endpoints.
Tested: Redfish-Service-Validator doesn't see a difference. Runtime
testing logging in via Sessions endpoint, getting data, using websockets
and logging out against webui-vue with a corresponding change while
carefully observing Request and Response headers. Creating a session
with curl without the special header shows just X-Auth-Token and no
cookies in the response.
Change-Id: I0b1774e586671874bb79f115e9cddf194f9ea653
Signed-off-by: Paul Fertser <fercerpav@gmail.com>
Diffstat (limited to 'redfish-core/lib')
-rw-r--r-- | redfish-core/lib/redfish_sessions.hpp | 19 |
1 files changed, 18 insertions, 1 deletions
diff --git a/redfish-core/lib/redfish_sessions.hpp b/redfish-core/lib/redfish_sessions.hpp index 555e7f32ac..dba1aac770 100644 --- a/redfish-core/lib/redfish_sessions.hpp +++ b/redfish-core/lib/redfish_sessions.hpp @@ -17,6 +17,7 @@ #include "account_service.hpp" #include "app.hpp" +#include "cookies.hpp" #include "error_messages.hpp" #include "http/utility.hpp" #include "persistent_data.hpp" @@ -125,6 +126,11 @@ inline void } } + if (session->cookieAuth) + { + bmcweb::clearSessionCookies(asyncResp->res); + } + persistent_data::SessionStore::getInstance().removeSession(session); messages::success(asyncResp->res); } @@ -245,7 +251,18 @@ inline void handleSessionCollectionPost( return; } - asyncResp->res.addHeader("X-Auth-Token", session->sessionToken); + // When session is created by webui-vue give it session cookies as a + // non-standard Redfish extension. This is needed for authentication for + // WebSockets-based functionality. + if (!req.getHeaderValue("X-Requested-With").empty()) + { + bmcweb::setSessionCookies(asyncResp->res, *session); + } + else + { + asyncResp->res.addHeader("X-Auth-Token", session->sessionToken); + } + asyncResp->res.addHeader( "Location", "/redfish/v1/SessionService/Sessions/" + session->uniqueId); asyncResp->res.result(boost::beast::http::status::created); |