We've looked at this more closer since yesterday and my initial assessment was not entirely correct; There actually is no technical reason why sessions cannot be activated for Basic Auth. so you can switch the authentication method for the M/Monit app. The only problem (as you found out) is that sessions were not activated. This have now been changed and the next point release of M/Monit (3.5.2 probably) will work with Basic Auth as well as with Form Based Auth. Thank you for bringing this to our attention.
> On 12 Oct 2015, at 23:36, Philippe Wooding > <[email protected]> wrote: > > Thanks for your response. > If indeed, it is by design and things are unlikely to change, then the > M/Monit documentation (https://mmonit.com/documentation/mmonit_manual.pdf) > should probably be updated to state that the web site can’t use anything else > than form based authentication. > It would have avoided my spending time trying to understand why it wasn’t > working :-) > Do you know why only the status page breaks when using basic auth? > What information does the session hold? > > Cheers > >> On 12 Oct 2015, at 23:05, Jan-Henrik Haukeland <[email protected]> wrote: >> >> You pretty much explained this yourself. It is correct what you found, when >> Basic Auth is used, no session is created. The M/Monit app, as it is, >> depends on a session being created and therefor only supports login via form >> based auth. The exception is the /collector page which actually uses Basic >> Auth. This is to lower resource usage - if you have thousands of Monit >> agents reporting in to M/Monit, creating a session for each of these >> connections with no logout can be expensive. The bottom line is that this is >> by design and unlikely to change. >> >> Ps. The reason you where able to start with form based auth and then switch >> to basic auth is because M/Monit sessions are persistent over a restart so >> you are still logged into M/Monit via your browser’s zsessionid cookie. >> >> >>> On 12 Oct 2015, at 21:44, Philippe Wooding >>> <[email protected]> wrote: >>> >>> Hi all, >>> >>> I’ve started using M/Monit (3.5.1-linux-x64) and would like to use HTTP >>> basic auth instead of the default login form. >>> However, HTTP auth seems to be broken. >>> When I log in, I get the index page ok, but when I switch to the ‘status’ >>> tab, I get a ‘Page not found’ error popup. >>> With the standard form based auth, everything works ok. >>> I traced the basic auth error down to the lack of the ‘zsessionid’ cookie. >>> It never gets created with basic auth and seems to be required by the >>> following query: >>> http://127.0.0.1:8080/session/get?key=sHostGroup&key=sLed&key=sHostName >>> >>> If I start by using form based auth and then switch to basic auth, the >>> cookie is known to the browser and everything >>> is fine until I restart my browser. >>> >>> Is anyone else out there using HTTP auth or does my description ring a bell? >>> >>> Cheers, >>> >>> P Wooding >> >> >> >> -- >> To unsubscribe: >> https://lists.nongnu.org/mailman/listinfo/monit-general > > -- > To unsubscribe: > https://lists.nongnu.org/mailman/listinfo/monit-general -- To unsubscribe: https://lists.nongnu.org/mailman/listinfo/monit-general
