Session Value in cookies updation

Hi @Allan_Zimmermann , We have observed that the session value for a user in cookies is not changing. Also we noticed that the session and session.sig are linked to nodered.

Is it possible to have a different session value for every login? since user can copy the Admin user
session_id and session.sig value and after loggedout he can forward the request and get the user details.

The session is reused as long as it has not expired (it’s stores in the database ).
If you want to rotate those more often ( and there by forcing the users to re-login more often ) you can modify the life time of those using oidc_access_token_ttl oidc_authorization_code_ttl oidc_client_credentials_ttl oidc_refresh_token_ttl and oidc_session_ttl envoriment variables

Thanks for the suggestion

Hi allan, could you please provide the name of the collection(The session is reused as long as it has not expired (it’s stores in the database).

the collectionname is oauthtokens

I am using username and password to login.
I couldn’t find oauthtoken collection in openflow.

MicrosoftTeams-image (4)

It also looks like you don’t have any agents or nodereds running. So I guess you havent used it yet.

In openflow before 1.5 nodered would use SAML, with 1.5 and up, Nodered will use OpenID connect where the tokens are saved in oauthtokens

we are using 1.4.36, so there any way to expire the session.

Not for nodered. It uses xaml, so as long as to token is signed by openflow it will accept it.
( the user can still signout, but since your asking for the database I’m going to assume you mean something else than the user manuall going to “Logout” in the menu in nodered )
So you can expire for everyone by changing the certificate inside “signing_crt” envoriment variable and restarting all api nodes.

OpenFlow uses cookie sessions. You can change encryption secret by setting environment variable cookie_secret
This contains a JSonToken (jwt) based on your user object. This token is signed using environment variable encryption_key and is set to expire based of shorttoken_expires_in ( or longtoken_expires_in )

The big issue here is, encryption_key is also used to encrypt data in the database like openrpa credentials. ( all fields defined in the _encrypt array on an object ) so changing this will make all of those fields on readable … I should probably got those two “split up” at some point, but right now that is how it is.

Is it advisable to change it?

sorry for spam. One more thing …
Yes, someone could copy the cookie and take over the session, but if someone can access your cookies you have a whole bunch of other issues. And the person stealing it, will need to be fast, since the token in the cookie is only valid for 15 minutes. You can lower this to make it harder, but need to keep it at at least a few minutes to allow for time screw

you can change all of the settings, but be care full with updating encryption_key since you will need to re-set all the encrypted values in the database. ( all nodered credentials and all openrpa credentials are saved this way )

@Allan_Zimmermann ,We are changing the cookie_secret value everytime, as you have suggested and it is working, we need to restart the openflow everytime for it to work, but we want to change the expiry of the session without restarting.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.