guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Jumper <mjum...@apache.org>
Subject Re: Authentication Changes in 1.0.0
Date Mon, 04 Mar 2019 23:26:33 GMT
On Mon, Mar 4, 2019 at 3:15 PM Lev Dubinets <levdubinets@live.com> wrote:

> Hi Lee, I actually have the same/similar issue and started a thread about
> this recently:
> http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/1-0-0-LocalStorage-auth-instead-of-cookies-tp4996.html
> .
>
> Probably best to merge my thread into yours.
>
> Nick/Mike, can you elaborate why this change was made?
>

https://issues.apache.org/jira/browse/GUACAMOLE-549


> What was wrong with cookie-based authentication?
>

Nothing is inherently wrong with cookie-based authentication. Apache
Guacamole does not use cookies, and actually hasn't since it migrated to an
interface driven by REST services. The 1.0.0 changes were to migrate
client-side storage of the session token from a cookie to local storage.
Storing the session token within a cookie is problematic given that the
cookie is not actually read by the server. It unnecessarily exposes the
contents of the cookie when all relevant endpoints are actually expecting
to receive the token only via a "token" query parameter in each request.

The unnecessary use of a cookie was partly the cause of a vulnerability
addressed by 1.0.0:

http://mail-archives.apache.org/mod_mbox/guacamole-announce/201901.mbox/%3CCALKeL-O%2B%3DRxbd0y%2BhSB9%3DY0N400A8sV2BiKgZfNsjGxZipA-uQ%40mail.gmail.com%3E


> Re: Nick's questions "What are you trying to accomplish?": I have software
> written that allows people to connect to multiple servers. 1.0.0
> unfortunately breaks it.. Having different accounts is useful for
> segregation as well as for being able to automatically open the single
> session in the account.
>

Nothing in 1.0.0 will prevent you from having different accounts, nor with
connecting to multiple servers. You won't be able to sign in as multiple
users to the same domain from within the same browser, but assuming your
users don't all share the same browser instance things will still work as
expected.

It might be a good idea for the new local storage of the token to be
modified to be path-specific, allowing multiple deployments below the same
domain, but migrating back to cookies is not the way to go.

- Mike

Mime
View raw message