UI doesn't allow login if sessionkey and JSESSIONID cookies are deleted

[andrijapanicsb]

ISSUE TYPE

• Bug Report

COMPONENT NAME

UI (old UI, not Primate)

CLOUDSTACK VERSION

4.14+ (probably present on all older versions as well)

To consistently reproduce this, this is what I did:

• Login into UI, then open devtools->Application-> cookies
• Delete the sessionkey and JSESSIONID cookies (to simulate session expiry, in browser but not on mgmt server)
• Refresh UI and try to log in, you won't be able to login
• You've to wait until the previous session expires, or clear cache

The solution is for legacy UI to call the logout API when 401/unauthorised happens (logout will expire session on backend mgmt server) and clear cookies.

[rohityadavcloud]

The issue happens because from code we're unable to clear HttpOnly cookie[1], this cookie can only be cleared by CloudStack (i.e. the server, not the client) and the fix is to call the logout API (which Primate does as well) when we get 401 error on the first API we call to validate auth (listCapabilities).

[1] https://owasp.org/www-community/HttpOnly

[rohityadavcloud]

@davidjumani please pick this up. Thanks.

[davidjumani]

Calling a logout after a 401 does not appear to solve this even before / after clearing cookies

[andrijapanicsb]

When the issue happens (not able to login to /client), you can go to /client/primate, login and logout - then all is fine and you can login back to /client.
Once this expires, you need to repeat the exercise again or clear all cookies (for some reason, manually deleting cookies via Developer Tools --> Application --> Cookies, did not work for me)

[rohityadavcloud]

@davidjumani can you experiment by removing all cookies and then call logout API?

[davidjumani]

Yup. Tried clearing before and after logging out. Was still unable to login. Only clearing everything in the browser appeared to work

[rohityadavcloud]

@davidjumani are you blocked, is there no solution to this otherwise? (perhaps a backend fix?)

[davidjumani]

@rhtyd Looks like there's nothing that can be done from the front end. Need to look into the backend