- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Authentication cookie timeout
[ Edited ]- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-28-2019 05:11 AM - edited 05-29-2019 01:34 AM
We're writing a module in PowerShell to simplify the management of IP addresses in InfoBlox. For the moment we request a `PSCredential` object to execute the call to the API. However, it seems best practice to switch to using a cookie for authentication instead.
This code creates the variable '$AuthCookie':
$Params = @{ Uri = "$Uri/record:host?_return_as_object=1" Method = 'GET' Credential = $Credential SessionVariable = 'AuthCookie' } Invoke-RestMethod @Params
Invoke-RestMethod -Uri $Params.Uri -Method GET -WebSession $AuthCookieSo far so good. The only thing left is to verify that the cookie is still valid before we do a call. To accomplish this the following is mentioned in the WAPI documentation:
$Test = Invoke-RestMethod @GetParams -Uri "$Uri/grid/b25lLmNsdXN0ZXIkMA:Infoblox?_return_as_object=1&_return_fields%2B=security_setting" $Test.result.security_setting | fl admin_access_items : {} audit_log_rolling_enable : True http_redirect_enable : True lcd_input_enable : True login_banner_enable : True login_banner_text : Disconnect NOW if you have not been expressly authorized to use this system. remote_console_access_enable : True security_access_enable : False security_access_remote_console_enable : True session_timeout : 86400 ssh_perm_enable : True support_access_enable : False support_access_info : Not enabled
Re: Authentication cookie timeout
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-12-2019 03:23 AM
I think you are getting mixed up. Token usage timeout is different to the session timeout, it's used for auto-provisioning new grid members. Ignore that for now. You already found the session timout (86400 secs). That is a very long timeout setting though, normally it would be something like 10 minutes.
I've been doing a bit of work with cookie authentication lately, I was expecting the session timeout to act a bit like a REST token timer, but it doesn't at all and this confused me a bit, until I realised that you can keep using the cookie ad-infinitum without having to worry about a token timer. I've done other REST programming where the token only lasts 5 minutes so you have to check the validity and get a new token as you approach the token expiry time.
But with cookies, the session timeout value is exactly that - the session times out after x minutes of inactivity, just like the UI. So if you have it set to 10 mins, it will expire 10 mins after the last API call. In your case, it won't expire for a whole day, which is actually quite dangerous as someone or something could hi-jack your session.
So I would reduce the session timeout to something more "sensible" and just keep using the cookie for as long as you need it.
What I am struggling at the moment is a way to invalidate the cookie - the docs say to call the /logout API, but when I try it I get HTTP error 500, so something is not right somewhere. I'm still trying to figure out what is going on.
PCN (UK) Ltd
All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE
Re: Authentication cookie timeout
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-12-2019 03:25 AM
By the way, you'll find the session timeout in grid properties -> security in the UI.
PCN (UK) Ltd
All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE
Re: Authentication cookie timeout
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-12-2019 03:31 AM
Ok I've just answered my own question, it seems when you call the /logout API you should not pass any headers, then it seems to work.
PCN (UK) Ltd
All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE