Kibana: Kibana complains about cookies

Report of a similar error came in #5380, which we were not able to replicate. The hard part is that Kibana doesn't validate any cookies, at least not knowingly.

If it happens again please take a note of the cookies that you have set and let us know.

@spalger, @rashidkpc, I am pleased to share that further investigation puts in evidence what happened in the case #5380.

I showed the @spalger comments to the security team where I work and we made a sniff (using tcpdump command) to see what Kibana sees when it receives a request. What we found was that Kibana receives, among other headers, a header called "Cookie" with a content following the syntax "Cookie: OAMAuthnCookie_<DOMAIN>:80=<VALUE>;". The character that is activating the error message reported in the case #5380 is the ":" (two points). This can be tested with the curl Linux command:

## This throw an error
curl 'http://localhost:5601/' -H 'Cookie: test:80=value'
## This don´t
curl 'http://localhost:5601/' -H 'Cookie: test_80=value'

Researching at Apache Documentation, we found that it is possible to suppress headers from request. So we suppressed the Cookie header setting "RequestHeader unset Cookie" at httpd.conf. Done that, the Kibana loaded perfectly.

@spalger, @rashidkpc, thank you for the tips!

i am using kibana-4.2.0-linux-x64 and chrome is always throwing until we clear the cache each time.
{"statusCode":400,"error":"Bad Request","message":"Invalid cookie value"}
this is really annoying to say users to clear cache or use safari browser.
is there any way to get rid of this "Invalid cookie value" issue in chrome?

@hridyeshpant This fix wasn't available until 4.2.2, if upgrading is an option I would suggest doing that.

You can also open an incognito window for this issue

I see this in Kibana 4-6-1 on Windows, on Chrome (IE and Firefox work fine.)

I am able to reproduce this with Kibana 4.6.1 after setting the following cookie:
document.cookie = "Cookie"
Probably it should not be able to be set, but somehow it got set by the server, so the client happily sends the invalid cookie without a value yet Kibana is the only application that crashes.

Confirming on 5.0.0 too, reopening

Downgrading priority - custom cookies are still able to be set, invalid cookies(without an = for example) are rejected. The UX on this could be better.

I don't think I did anything to set a custom cookie - I was just following the basic elkstack tutorial and it happened.

Any update on this ? I am getting the issue when I run kibana in dev mode (windows).

The issue is still there on 5.4.1

The issue is still there on 5.6.3, tested on Mac OSX 10.11.6 / Chrome 61.0.3163.100

@spalger as mentioned above (by me and others), the issue is still there

This is now TWO YEARS this issue is in place.

@jbudz: re: your comment - how can this be OK if a session left idle for some time is unuseable afterwards? Refreshing, F5, Ctrl-F5, whgatever does not fix the error. I need to actually open the root link to be able to use Kibana again.

If there is a fix, please post it here so people can at least use Kibana between sessions.

@spalger

Any update?

@jbudz we are now in 2018 and the same bug is still there. It makes Kibana unuseable on the long term.

How come this issue is still there??

This is what I just got after 10 minutes or so of inactivity:

I need to remove everything in the URL after the server name, hit Enter and everything is fine again after Kibana has reloaded.

Can someone that is still affected by this issue provide concrete steps to reproduce? This issue seems to be affecting an extremely small number of installs, and since we're unable to reproduce it here, a fix just continues to get kicked down the road. If we have a reliable way to reproduce this, we can figure out the definitive cause and track down a fix.

@epixa - I've noticed that I run into this particularly when I run other node services on my machine.

I'm using a Mac and the latest version of kibana. Steps are as follows:

-Launch Kibana
-Hit kibana url . - works fine
-Launch other node web app on some other port
-Close Kibana
-Launch Kibana again in another browser window (or tab) - get error
{"statusCode":400,"error":"Bad Request","message":"Invalid cookie header"}

Usually clearing cookies for all of localhost (not just the kibana ones) fixes the issue, but it's annoying to have to do that.

I ran into this when running kibana 5.6.15 in a docker container deployed to a kubernetes cluster with a traefik loadbalancer and an f5. The f5 or something else along the way seem to add a cookie that hapi (the underlying server lib used by kibana) didn't like. Clearing my browser cookies etc did nothing to resolve the issue.
To fix the issue I had to modify the defaults.js file used by hapi.
In the docker image the file is under /usr/share/kibana/node_modules/hapi/lib/defaults.js
In that file change I changed
state: {
parse: true, // Parse content of req.headers.cookie
failAction: 'error' // Action on bad cookie...
},
to
state: {
parse: false, // Parse content of req.headers.cookie
failAction: 'ignore' // Action on bad cookie ...
},
That resolved it for me hope this helps someone.