cookiesgrafanasetcookiehttpcookiegrafana-api

Remove grafana cookie for user logout API


I’m using grafana HTTP API to build a front-end application on grafana. User authentication is with the basic Auth model (default grafana authentication). I need the logout API, which cause grafana_session cookie expire.

I can not remove the grafana_session cookie from my scripts, because the httpOnly flag is on. Could you please help me to handle the user logout?

The only grafana configs that I've changed are two bellow configs:

# set cookie SameSite attribute. defaults to `lax`. can be set to "lax", "strict", "none" and "disabled"
cookie_samesite = none

# set to true if you want to allow browsers to render Grafana in a <frame>, <iframe>, <embed> or <object>. d$
allow_embedding = true

Solution

  • I found the solution and share it here to help if anybody had the same question.

    As Jan said in the comment, Cookies are for the UI auth, and are set from the server. The HttpOnly flag makes cookies secure among the risk of cross-site scripting (XSS) and can not be deleted or overwritten from js scripts.

    Grafana's default authentication uses the grafana_session cookie, which is an HttpOnly cookie. So If anybody else needs to know how we can delete the grafana_session cookie for user signout, you should only call /logout endpoint.

    axios.get('http://localhost:3000/logout')
    

    It will automatically set the cookie in request header, which will delete geafana_session token and user needs to login for the next requests.

    headers: {
      Cookie: 'grafana_session=; Path=/; Max-Age=0; HttpOnly; SameSite=Lax'
    }
    

    Following links helped me out to understand the HttpOnly cookies. May be useful for others:

    https://stackoverflow.com/a/1085792/16994002

    https://security.stackexchange.com/questions/211356/delete-secure-cookie-using-javascript

    https://www.sjoerdlangkemper.nl/2020/05/27/overwriting-httponly-cookies-from-javascript-using-cookie-jar-overflow/