How does session management work in the Rancher v1.6 UI?

This document (000020206) is provided subject to the disclaimer at the end of this document.

Situation

Question

This article looks at how session management, and expiry, functions in the Rancher v1.6 UI.

Pre-requisites

  • This article is applicable to Rancher v1.6 instances

Answer

The Rancher user interface uses a token for session management. The token is originally obtained by the client by calling the /v2-beta/token API. This API is triggered by the end-user entering their username and password and clicking the "Log In" button. Below is an example request:

URL: https://rancher.example.com/v2-beta/token

Method: POST

Request body (formatted for readability):

{
  "code":"admin:<password here>",
  "authProvider":"localauthconfig"
}

Upon successful authentication, the server will generate a random 40 character token that is associated with the authenticated user. This token is provided back to the user interface in the jwt field in the JSON response. The token is valid for 16 hours from the time of creation. This expiration is enforced by the server. Below is a sample response (formatted for readability):

{
  "id":null,
  "type":"token",
  "links":{},
  "baseType":"token",
  "actionLinks":{},
  "accountId":"1a1",
  "authProvider":"localAuthConfig",
  "code":null,
  "enabled":true,
  "jwt":"V1dMyPArix5nN1jxiA6DdzsqdZitDJhZuBR3vZNr",
  "originalLogin":null,
  "redirectUrl":null,
  "security":true,
  "user":"admin",
  "userIdentity":
  {
    "externalId":"1a1",
    "profilePicture":null,
    "name":"admin",
    "externalIdType":"rancher_id",
    "profileUrl":null,
    "login":"admin",
    "role":null,
    "projectId":null,
    "user":false,
    "all":null,
    "id":"rancher_id:1a1"
  },
  "userType":"admin"
}

The user interface stores the token in a cookie called token and will send this cookie to all subsequent API requests to the server. In addition to a token, the server also sends a CSRF (Cross-Site Request Forgery) cookie which must be sent back on each request. This ensures the request came from the client and not a third party or malicious script. Below is a sequence diagram that demonstrates how a token is created and used.

Session Management Sequence Diagram

Upon session expiration, the user interface will redirect the user back to the login page.

Note, the session token expiration duration is not currently configurable. There is an enhancement request on GitHub to add this functionality, tracked in https://github.com/rancher/rancher/issues/16467

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020206
  • Creation Date: 15-Jul-2021
  • Modified Date:15-Jul-2021
    • SUSE Rancher

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback@suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center