guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lee <ldoug...@vt.edu>
Subject Re: 1.0.0 LocalStorage auth instead of cookies
Date Tue, 05 Mar 2019 00:04:14 GMT
My issue (and need for Cookie-based auth or an alternative) is very similar.
Lev noted this in my own thread and pointed here.

In my case, we determined that our users only needed the servers for a few
hours and different times of the week or month so we generally have the
virtual machines off. We also determined that Guacamole probably not the
best system to control spinning up or down these virtual machines --
designing the extensions would have been difficult, and prone to issues as
guacamole matured. So we designed a wrapper that is responsible for ensuring
the servers are available when the users need them; The users start the
system outside guacamole, and get a button that opens a new tab with a
one-time-use cookie that drops them directly into the specified server on
demand.

To reduce any confusion, we strip away most of the guacamole client features
like user management, and let guacamole handle the RDP/SSH sessions through
'just-in-time' configurations provided by our authentication extension,
which can also pass in configuration options. Guacamole effectively persists
nothing outside sessions.

The clearing of cookies in the past caused no issues on existing sessions,
so a user could have 4 tabs with different RDP/SSH sessions at the same time
(or, in some cases, sessions to the same server that was configured to give
new SSH/RDP sessions for each connection). We found this very valuable --
such as teachers looking at or troubleshooting multiple student sessions at
the same time. It's also helpful when working on an exercise that has two
computers talking to each other. With out testing and approach, these
sessions could go on nearly indefinitely, even if their cookies were
destroyed. Survival through a tab refresh is not a requirement for us.

Incognito mode is a good work-around for technical people, but not a great
workaround for elementary and middle school students (or teachers) who are
using the guacamole service in their "Introduction to computers" class.

Does this give a possible use case for cookie-based authentication?

My team's plan is to destroy the local storage data as well as the cookies
and see if that allows us to move forward. Hopefully it allows sessions to
persist like it has in the past.

-Lee
Virginia Tech / Virginia Cyber Range



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Mime
View raw message