THE GAME HAS CHANGED

Introducing Infoblox Universal DDI ManagementTM

Watch the launch to discover the new era of management for critical network services. Watch Now

API & Integration, DevOps,NetOps,SecOps

Reply

Authentication cookie timeout

[ Edited ]
DarkLite1
New Member
Posts: 1

‎05-28-2019 05:11 AM - edited ‎05-29-2019 01:34 AM

6019     0

We're writing a module in PowerShell to simplify the management of IP addresses in InfoBlox. For the moment we request a `PSCredential` object to execute the call to the API. However, it seems best practice to switch to using a cookie for authentication instead. 

 

This code creates the variable '$AuthCookie':

 

 $Params = @{
    Uri = "$Uri/record:host?_return_as_object=1"
    Method = 'GET'
    Credential = $Credential
    SessionVariable = 'AuthCookie'
 }
Invoke-RestMethod @Params
And it is consumed like this:

Invoke-RestMethod -Uri $Params.Uri -Method GET -WebSession $AuthCookie
So far so good. The only thing left is to verify that the cookie is still valid before we do a call. To accomplish this the following is mentioned in the WAPI documentation:
 
WAPI supports the same underlying authentication methods that NIOS supports for username and password. This also applies to the cookie timeout which is the same value as the Grid UI timeout. All WAPI users must have permissions that grant them access to the API.
 
The correct timeout can be found in the GUI under Grid > Grid Manager > Sidebar: Grid Properties > Token usage timeout: 10 min.
 
My question, how can we access this vallue with a call to the API through PowerShell or Curl for example? It would help us keep track of the validity time of the cookie.
 
Thank you for your help and sorry if this is the wrong place to post the question, I just didn't find another place to ask. 
 
On a side note, in the examples of the documentation the timeout of the cookie can be read like this:

$Test = Invoke-RestMethod @GetParams -Uri "$Uri/grid/b25lLmNsdXN0ZXIkMA:Infoblox?_return_as_object=1&_return_fields%2B=security_setting"

$Test.result.security_setting | fl

admin_access_items                    : {}
audit_log_rolling_enable              : True
http_redirect_enable                  : True
lcd_input_enable                      : True
login_banner_enable                   : True
login_banner_text                     : Disconnect NOW if you have not been expressly authorized
                                        to use this system.
remote_console_access_enable          : True
security_access_enable                : False
security_access_remote_console_enable : True
session_timeout                       : 86400
ssh_perm_enable                       : True
support_access_enable                 : False
support_access_info                   : Not enabled
The weird thing is that this says the session is valid for 86400 seconds instead of the 10 min or 600 seconds in the GUI. Maybe I'm mixing things up. Thanks for clarifying how long the cookie will be valid. 
Reply
0 Kudos

Re: Authentication cookie timeout
paulr
Expert
Posts: 188

‎06-12-2019 03:23 AM

6020     0

I think you are getting mixed up. Token usage timeout is different to the session timeout, it's used for auto-provisioning new grid members. Ignore that for now. You already found the session timout (86400 secs). That is a very long timeout setting though, normally it would be something like 10 minutes.

 

I've been doing a bit of work with cookie authentication lately, I was expecting the session timeout to act a bit like a REST token timer, but it doesn't at all and this confused me a bit, until I realised that you can keep using the cookie ad-infinitum without having to worry about a token timer. I've done other REST programming where the token only lasts 5 minutes so you have to check the validity and get a new token as you approach the token expiry time.

 

But with cookies, the session timeout value is exactly that - the session times out after x minutes of inactivity, just like the UI. So if you have it set to 10 mins, it will expire 10 mins after the last API call. In your case, it won't expire for a whole day, which is actually quite dangerous as someone or something could hi-jack your session.

 

So I would reduce the session timeout to something more "sensible" and just keep using the cookie for as long as you need it.

 

What I am struggling at the moment is a way to invalidate the cookie - the docs say to call the /logout API, but when I try it I get HTTP error 500, so something is not right somewhere. I'm still trying to figure out what is going on.

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE
Reply

Re: Authentication cookie timeout
paulr
Expert
Posts: 188

‎06-12-2019 03:25 AM

6020     0

By the way, you'll find the session timeout in grid properties -> security in the UI.

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE
Reply
0 Kudos

Re: Authentication cookie timeout
paulr
Expert
Posts: 188

‎06-12-2019 03:31 AM

6020     0

Ok I've just answered my own question, it seems when you call the /logout API you should not pass any headers, then it seems to work.

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE
Reply
0 Kudos
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Recommended for You

Latest Annoucements

Businesses are investing heavily into securing company resources from cyber-attacks form cybercrimin

playicon