HTTP/HTTPS Cookie sharing issue
Posted: Fri Aug 10, 2018 2:22 pm
Hi
I've found an issue that involves Nagios XI servers that can be accessed over both HTTP and HTTPS. After logging into the HTTPS interface, It basically renders the HTTP interface unusable (you can't log in).
Steps to reproduce:
- Login to a Nagios XI using HTTPS (for instance https://nagiosxi.demos.nagios.com/nagiosxi , ignore the certificate errors)
- Attempt to log in again, but using HTTP (for instance http://nagiosxi.demos.nagios.com/nagiosxi )
Result: "NSP: Sorry Dave, I can't let you do that" when attemping to log in. Even after logging out of the https interface the issue persists.
Workaround: Manually delete the cookie for the respective domain and log in again.
Tested with Chrome Latest (68.0.3440.106), and Firefox latest, doesn't seem to happen with IE.
I'm not sure if it only happens because of the invalid certificate.
Thanks, Gonzalo
I've found an issue that involves Nagios XI servers that can be accessed over both HTTP and HTTPS. After logging into the HTTPS interface, It basically renders the HTTP interface unusable (you can't log in).
Steps to reproduce:
- Login to a Nagios XI using HTTPS (for instance https://nagiosxi.demos.nagios.com/nagiosxi , ignore the certificate errors)
- Attempt to log in again, but using HTTP (for instance http://nagiosxi.demos.nagios.com/nagiosxi )
Result: "NSP: Sorry Dave, I can't let you do that" when attemping to log in. Even after logging out of the https interface the issue persists.
Workaround: Manually delete the cookie for the respective domain and log in again.
Tested with Chrome Latest (68.0.3440.106), and Firefox latest, doesn't seem to happen with IE.
I'm not sure if it only happens because of the invalid certificate.
Thanks, Gonzalo