Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

API & Integration, DevOps,NetOps,SecOps

Reply

Authentication cookie timeout

[ Edited ]
New Member
Posts: 1
5022     0

We're writing a module in PowerShell to simplify the management of IP addresses in InfoBlox. For the moment we request a `PSCredential` object to execute the call to the API. However, it seems best practice to switch to using a cookie for authentication instead. 

 

This code creates the variable '$AuthCookie':

 

 $Params = @{
    Uri = "$Uri/record:host?_return_as_object=1"
    Method = 'GET'
    Credential = $Credential
    SessionVariable = 'AuthCookie'
 }
Invoke-RestMethod @Params
And it is consumed like this:

Invoke-RestMethod -Uri $Params.Uri -Method GET -WebSession $AuthCookie
So far so good. The only thing left is to verify that the cookie is still valid before we do a call. To accomplish this the following is mentioned in the WAPI documentation:
 
WAPI supports the same underlying authentication methods that NIOS supports for username and password. This also applies to the cookie timeout which is the same value as the Grid UI timeout. All WAPI users must have permissions that grant them access to the API.
 
The correct timeout can be found in the GUI under Grid > Grid Manager > Sidebar: Grid Properties > Token usage timeout: 10 min.
 
My question, how can we access this vallue with a call to the API through PowerShell or Curl for example? It would help us keep track of the validity time of the cookie.
 
Thank you for your help and sorry if this is the wrong place to post the question, I just didn't find another place to ask. 
 
On a side note, in the examples of the documentation the timeout of the cookie can be read like this:

$Test = Invoke-RestMethod @GetParams -Uri "$Uri/grid/b25lLmNsdXN0ZXIkMA:Infoblox?_return_as_object=1&_return_fields%2B=security_setting" $Test.result.security_setting | fl admin_access_items : {} audit_log_rolling_enable : True http_redirect_enable : True lcd_input_enable : True login_banner_enable : True login_banner_text : Disconnect NOW if you have not been expressly authorized to use this system. remote_console_access_enable : True security_access_enable : False security_access_remote_console_enable : True session_timeout : 86400 ssh_perm_enable : True support_access_enable : False support_access_info : Not enabled
The weird thing is that this says the session is valid for 86400 seconds instead of the 10 min or 600 seconds in the GUI. Maybe I'm mixing things up. Thanks for clarifying how long the cookie will be valid. 

Re: Authentication cookie timeout

Expert
Posts: 185
5022     0

I think you are getting mixed up. Token usage timeout is different to the session timeout, it's used for auto-provisioning new grid members. Ignore that for now. You already found the session timout (86400 secs). That is a very long timeout setting though, normally it would be something like 10 minutes.

 

I've been doing a bit of work with cookie authentication lately, I was expecting the session timeout to act a bit like a REST token timer, but it doesn't at all and this confused me a bit, until I realised that you can keep using the cookie ad-infinitum without having to worry about a token timer. I've done other REST programming where the token only lasts 5 minutes so you have to check the validity and get a new token as you approach the token expiry time.

 

But with cookies, the session timeout value is exactly that - the session times out after x minutes of inactivity, just like the UI. So if you have it set to 10 mins, it will expire 10 mins after the last API call. In your case, it won't expire for a whole day, which is actually quite dangerous as someone or something could hi-jack your session.

 

So I would reduce the session timeout to something more "sensible" and just keep using the cookie for as long as you need it.

 

What I am struggling at the moment is a way to invalidate the cookie - the docs say to call the /logout API, but when I try it I get HTTP error 500, so something is not right somewhere. I'm still trying to figure out what is going on.

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE

Re: Authentication cookie timeout

Expert
Posts: 185
5022     0

By the way, you'll find the session timeout in grid properties -> security in the UI.

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE

Re: Authentication cookie timeout

Expert
Posts: 185
5022     0

Ok I've just answered my own question, it seems when you call the /logout API you should not pass any headers, then it seems to work.

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE
Showing results for 
Search instead for 
Did you mean: 

Recommended for You