Cisco anyconnect webvpn cookie #35
Conversation
|
Thanks! I don't have time to fully review and test now, but will take a more detailed look later. I also don't have access to any AnyConnect server that does SAML. Hrmmm. |
gp_saml_gui.py
Outdated
| if cookies: | ||
| self.cookies.set_accept_policy(WebKit2.CookieAcceptPolicy.ALWAYS) |
There was a problem hiding this comment.
Hmmm… what's the reason for removing this?
There was a problem hiding this comment.
I assumed that I need to have cookies enabled to extract the webvpn cookie.
Therefore I changed to cookie parameter to only control the cookie storage (line 53+54).
I'll check whether that is actually true and when not revert this change.
In case cookies are required (and I don't want to store them in a cookie file), would you prefer to keep the -C/-K parameters as they are now (controlling both storage and cookie acceptance) - and add a new parameter for non-persistance acceptance?
Or change the parameters meaning, to support these 3 cases?
My proposal would be something like:
--cookies: Store cookies in this file (instead of default %(default)s)')--no-cookies: Don't use or store cookies at all--no-cookies-store: Use cookies, but don't store them on disk
There was a problem hiding this comment.
What would be the reason not to store the cookies persistently if they're used? 🤷🏻♂️
Normally, SAML/federated login providers use them for things like remembering your username, or not requiring you to receive an SMS code every time if the cookies shows you've logged in recently, etc.
There was a problem hiding this comment.
HTTP/TLS-based VPNs use cookies heavily in their authentication. Other than GlobalProtect (somewhat ironic given that's what this code was originally written to support), I don't think there's an SSL-VPN protocol out there where the login process will work with a browser/agent that disables cookies entirely.
There was a problem hiding this comment.
I'll give it a try with AnyConnect and see how it works.
I don't like to store unneeded stuff, especially when it's security related.
So as you point out I will probably need cookies enabled for the login to work. I will just input all credential data by myself. Or actually the password manager will do this for me. So single source of credentials, and not distributed over multiple files.
Thats of course just a personal preference. :-)
I also don't see/have all these features like SMS code with AnyConnect, so I cannot relate.
There was a problem hiding this comment.
I tried it - and AnyConnect cookie extraction also works with the orginial
"Don't use or store cookies at all" implementation.
I should have tested it first :-)
I reverted back cookie handling to the original state - please have a look when you find some time to spare.
AnyConnect cookie extraction also works with orginial "Don't use or store cookies at all" implementation
Add support for Cisco AnyConnect SAML VPN
which returns the authentication cookie within the
webvpncookie.I hope I did not broke anything else, unfortunately as I don't have other VPNs available I was unable to test it.
If you want to pick up my change and need to make modifications, then I'll of course help with testing it versus the AnyConnect functionality.
Thanks for your work, it was (is) a great base to get AnyConnect SAML running!