On Mon, Mar 4, 2019 at 3:15 PM Lev Dubinets <[email protected]> wrote:
> Hi Lee, I actually have the same/similar issue and started a thread about > this recently: > http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/1-0-0-LocalStorage-auth-instead-of-cookies-tp4996.html > . > > Probably best to merge my thread into yours. > > Nick/Mike, can you elaborate why this change was made? > https://issues.apache.org/jira/browse/GUACAMOLE-549 > What was wrong with cookie-based authentication? > Nothing is inherently wrong with cookie-based authentication. Apache Guacamole does not use cookies, and actually hasn't since it migrated to an interface driven by REST services. The 1.0.0 changes were to migrate client-side storage of the session token from a cookie to local storage. Storing the session token within a cookie is problematic given that the cookie is not actually read by the server. It unnecessarily exposes the contents of the cookie when all relevant endpoints are actually expecting to receive the token only via a "token" query parameter in each request. The unnecessary use of a cookie was partly the cause of a vulnerability addressed by 1.0.0: http://mail-archives.apache.org/mod_mbox/guacamole-announce/201901.mbox/%3CCALKeL-O%2B%3DRxbd0y%2BhSB9%3DY0N400A8sV2BiKgZfNsjGxZipA-uQ%40mail.gmail.com%3E > Re: Nick's questions "What are you trying to accomplish?": I have software > written that allows people to connect to multiple servers. 1.0.0 > unfortunately breaks it.. Having different accounts is useful for > segregation as well as for being able to automatically open the single > session in the account. > Nothing in 1.0.0 will prevent you from having different accounts, nor with connecting to multiple servers. You won't be able to sign in as multiple users to the same domain from within the same browser, but assuming your users don't all share the same browser instance things will still work as expected. It might be a good idea for the new local storage of the token to be modified to be path-specific, allowing multiple deployments below the same domain, but migrating back to cookies is not the way to go. - Mike
