We always welcome feedback from you to make Icinga even better. Many Icinga users have expressed the opinion that they would like to have a rememberme checkbox on the login page of Icinga Web  so that they don’t have to log in every time they visit Icinga Web

We have worked on this new feature especially during the Home-Office and plan to release it in the next release of Icinga Web.

 

Here are some steps how this works:

  • We introduce a new “remember me” cookie and a “Stay logged in” checkbox in the login form
  • All user sensitive information will be encrypted with RSA key pair.
  • The cookie expires after 30 days 
  • Renewal happens automatically upon a successful “remember me” authentication and involves recreating the RSA key pair and cookie with 30 day expiry date.
  • Authentication via the “remember me” cookie will trigger our normal authentication process, i.e. logging in with the username and password and creating a new session cookie if authentication succeeded
  • The cookie will be deleted if authentication fails or logout is triggered

In order to securely store the users secrets, we create an RSA key pair on the server side upon creation of the “remember me” cookie. The key pair will be stored in our web database. The contents of the cookie will be the following:

  • Public key
  • Username and password encrypted using the public key

That makes the public key our common secret. Upon authentication via the “remember me” cookie we look for the public key in our database, decrypt the secretes using the private key and trigger our normal authentication with the decrypted username and password.

 

Why we trigger the normal Authentication?

The normal authentication already includes the verification of the username and password combination. In this way we check if the user exists or the password is changed.

If the cookie already exists and the user visits the site, we decode the user secrets and try to log in with them. It works just as if the user has manually entered this information and clicked login.

 

You can follow the development of this feature on Github. If you have another suggestion or feature that you would like to see, please feel free to open an issue on Github.