4.19.1.2. -> Unable to login with non 2FA users. Error: "JSESSIONID from cookie is invalid."

[dataCobra]

ISSUE TYPE

• Bug Report

COMPONENT NAME

LOGIN, MANAGEMENT

CLOUDSTACK VERSION

4.19.1.2

SUMMARY

After the update to version 4.19.1.2. Users that don't have 2FA enabled are unable to login and get a 401 UNAUTHORIZED answer from the system. In the logs I can see that an error JSESSIONID from cookie is invalid. gets logged multiple times.

We have no special login methods (like OAuth, SAML) enabled and 2FA is also not mandatory but enabled.

This was tested with different clients with and without cache. All clients produced the same error.

STEPS TO REPRODUCE

1. Update to version 4.19.1.2
2. Try to login with a non 2FA user
3. Get 401 UNAUTHORIZED error

4. Downgrade to 4.19.1.1
5. Try to login with a non 2FA user
6. Login works fine

EXPECTED RESULTS

Login with non 2FA users does work.

ACTUAL RESULTS

Login with non 2FA users doesn't work. (401 UNAUTHORIZED)

---

We've downgraded to version 4.19.1.1 for now.

[weizhouapache]

@dataCobra
do you use the cloudstack GUI, or build your own dashboard ?

[dataCobra]

We are using the default GUI.

[weizhouapache]

@dataCobra
what is the exact error message, "JSESSIONID from cookie is invalid." ?

[dataCobra]

Oh sorry, yes this is the error. Will update the main message.

[weizhouapache]

@dataCobra
no problem.

For users who use the default GUI, it should work. we have made some changes on the cloudstack GUI to pass jsessionid to each API, it has been tested by multiple users. If it does not work, please clean the browser cache and retry.

For users who build their own dashboard, they need to modify their codebase and pass the jsessionid which can be found in the response of login API. As a workaround, they can set the global setting api.sessionkey.check.locations from default CookieAndParameter to CookieOrParameter. Please note, it is insecure. Users should fix their codebase asap.

[dataCobra]

Thank you for the quick answer.

We will test this and I come back to you after that.

[weizhouapache]

Thank you for the quick answer.

We will test this and I come back to you after that.

If it still does not work, can you share

• OS and version
• browser and version

please also try with different values of global setting api.sessionkey.cookie.samesite.
it has 4 valid values: Lax (default), Strict, NoneAndSecure and Null

[BartJM]

We have the same issue with 4.18.2.4 using the default GUI (no 2fa enabled).

Setting api.sessionkey.check.locations to CookieOrParameter did not resolve the issue.

With api.sessionkey.check.locations still set to CookieOrParameter changing api.sessionkey.cookie.samesite to any of the values did not change the result either.

Setting enable.secure.session.cookie to false made login work for us.

[weizhouapache]

@BartJM
thanks for sharing

@dataCobra
do you have the same setting enable.secure.session.cookie=true ?

[weizhouapache]

@BartJM @dataCobra
Is your cloudstack set up with https or http ?

[dataCobra]

Ours is setup with HTTPs.

The other question I can answer you on monday.

[weizhouapache]

I am able to reproduce the issue when 'enable.secure.session.cookie' is 'true'.
Tested with both http and https websites.

this is a regression of security fix for CSRF in 4.18.2.4 and 4.19.1.2.

workaround:

update configuration set value='false' where name='enable.secure.session.cookie';

then restart cloudstack-management

I will create a fix
cc @rohityadavcloud @DaanHoogland @GutoVeronezi @JoaoJandre