fix sessions removed early when using kerberos authentication

sni · Jun 10, 2024 · 1ef49df · 1ef49df
1 parent 95203c6
commit 1ef49df
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 2 deletions.
diff --git a/Changes b/Changes
@@ -2,6 +2,7 @@ This file documents the revision history for the Monitoring Webinterface Thruk.
 
 next:
           - fix recurring downtimes crontab entry for 2nd/3rd days of month
+          - fix sessions removed early when using kerberos authentication
           - Rest:
             - add transformation and disaggregation functions
             - add support for timeperiod / time queries in where clause

diff --git a/lib/Thruk/Context.pm b/lib/Thruk/Context.pm
@@ -357,7 +357,9 @@ sub authenticate {
     # set session id for all requests
     if(!$sessiondata && !$internal) {
         if(!Thruk::Base->mode_cli()) {
-            ($sessionid,$sessiondata) = Thruk::Utils::get_fake_session($c, undef, $username, undef, $c->req->address);
+            my $extra = {};
+            $extra->{'fake'} = 0 if _is_browser_request($c);
+            ($sessionid,$sessiondata) = Thruk::Utils::get_fake_session($c, undef, $username, undef, $c->req->address, $extra);
             if(!$options{'keep_session'}) {
                 $c->cookie('thruk_auth', $sessionid, { httponly => 1 });
             }
@@ -454,7 +456,7 @@ sub _request_username {
     # kerberos authentication
     elsif(($env->{'AUTH_TYPE'}//'') eq 'Negotiate' && ($env->{'GSS_NAME'}//'') ne '' ) {
         $username = $env->{'REMOTE_USER'} // $env->{'GSS_NAME'};
-        $auth_src = "Negotiate";
+        $auth_src = "negotiate";
     }
     # basic authentication
     elsif(defined $env->{'REMOTE_USER'} && $env->{'REMOTE_USER'} ne '' ) {
@@ -1123,6 +1125,21 @@ sub _is_ssl_request {
     return;
 }
 
+###################################################
+# return true if request is from a browser and not scripted, for example from curl / wget
+sub _is_browser_request {
+    my($c) = @_;
+
+    # theme cookie is a good indicator for a user request
+    my $cookies = $c->env->{'HTTP_COOKIE'};
+    if($cookies) {
+        return 1 if($cookies =~ m/thruk_theme|thruk_screen/gmx);
+    }
+
+    # everything else assumed to be not a browser
+    return;
+}
+
 ###################################################
 
 1;
diff --git a/lib/Thruk/Utils.pm b/lib/Thruk/Utils.pm
@@ -1790,6 +1790,8 @@ sub get_fake_session {
             $sessiondata->{$key} = $extra->{$key};
         }
     }
+    delete $sessiondata->{'fake'} unless $sessiondata->{'fake'}; # make it possible to create non-fake sessions via extra data
+
     require Thruk::Utils::CookieAuth;
     $sessiondata = Thruk::Utils::CookieAuth::store_session($c->config, $id, $sessiondata);
     $c->stash->{'fake_session_id'}   = $sessiondata->{'private_key'};