Chrome and Edge do not accept correct login data, Firefox works

Grafana
1

After everything worked properly (7.4.3), I can no longer log in with Chrome / Windows10 or Edge / Windows10. After entering username and password, the green popup “Logged in” appears, but immediately afterwards I am logged out. Cleaning the cache, clearing history or adjusting the cookie settings does not matter. Even after disabling all browser extensions no succes.

When I log in with Firefox on the same PC, everything goes smoothly. Everything also works fine on my Android tablet with Chrome.

Is this a known issue? I couldn’t find anything in the forum, can someone help me?

2

I did some more searching and found in grafana.ini the line “cookie_samesite = none” which would be necessary because I want to embed in an iframe. If I mark this line with a semicolon I can log in with Chrome and Edge so this is the cause.

Can anyone tell me how to set “cookie_samesite” so that I can use iframes and still login with Chrome?

Followed all tips on the forum but still no iframe login
3

Please provide reproducible example. It’s not clear how is your grafana configured, which domain is used, errors from browser console… Provide details, logs, errors, how did you debugged issue,. … to increase your chance for answer.

Blind guess: wrong Grafana configuration which makes invorrect cookies (secure cookie, cookie domain, same site attribute,…) which are not accepted by browsers.

4

Thanks for your reply! While you were responding I was also typing, please read what I wrote about grafana.ini.

So still looking for a solution.

5

Again, you are not posting your full Grafana config (just single line instead of everything) if you want proper answer. Go and read how Chrome (The newest Edge is also Chrome based) handle samesite cookie config. Random blogpost WTF is Chrome’s SameSite cookie update? - Digiday Blind guess (because your Grafana config is secret, so I really don’t know if it your case):

Any cookie with the “SameSite=None” label must also have a secure flag, meaning it will only be created and sent through requests made over HTTPs.

6

There is nothing mysterious about my setup info and it is certainly not secret. I didn’t want to bore readers with such a large file, but now that you explicitly ask for it, I’ll post it:

DEFAULT	
app_mode	production
instance_name	PH-Grafana
alerting	
concurrent_render_limit	5
enabled	true
error_or_timeout	alerting
evaluation_timeout_seconds	30
execute_alerts	true
max_annotation_age	
max_annotations_to_keep	0
max_attempts	3
min_interval_seconds	1
nodata_or_nullvalues	no_data
notification_timeout_seconds	30
analytics	
check_for_updates	true
google_analytics_ua_id	
google_tag_manager_id	
reporting_distributor	grafana-labs
reporting_enabled	true
annotations.api	
max_age	
max_annotations_to_keep	0
annotations.dashboard	
max_age	
max_annotations_to_keep	0
auth	
api_key_max_seconds_to_live	-1
disable_login_form	false
disable_signout_menu	false
login_cookie_name	grafana_session
login_maximum_inactive_lifetime_days	
login_maximum_inactive_lifetime_duration	7d
login_maximum_lifetime_days	
login_maximum_lifetime_duration	30d
oauth_auto_login	false
oauth_state_cookie_max_age	600
signout_redirect_url	
sigv4_auth_enabled	false
token_rotation_interval_minutes	10
auth.anonymous	
enabled	true
hide_version	false
org_name	LW
org_role	Viewer
auth.azuread	
allow_sign_up	true
allowed_domains	
allowed_groups	
api_url	
auth_url	https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize
client_id	some_client_id
client_secret	************
email_attribute_name	
email_attribute_path	
enabled	false
hosted_domain	
name	Azure AD
role_attribute_path	
scopes	openid email profile
tls_client_ca	
tls_client_cert	
tls_client_key	
tls_skip_verify_insecure	
token_url	https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token
auth.basic	
enabled	true
auth.generic_oauth	
allow_sign_up	true
allowed_domains	
allowed_organizations	
api_url	
auth_url	
client_id	some_id
client_secret	************
email_attribute_name	email:primary
email_attribute_path	
enabled	false
hosted_domain	
id_token_attribute_name	
login_attribute_path	
name	OAuth
name_attribute_path	
role_attribute_path	
scopes	user:email
team_ids	
tls_client_ca	
tls_client_cert	
tls_client_key	
tls_skip_verify_insecure	false
token_url	
auth.github	
allow_sign_up	true
allowed_domains	
allowed_organizations	
api_url	https://api.github.com/user
auth_url	https://github.com/login/oauth/authorize
client_id	some_id
client_secret	************
email_attribute_name	
email_attribute_path	
enabled	false
hosted_domain	
name	github
role_attribute_path	
scopes	user:email,read:org
team_ids	
tls_client_ca	
tls_client_cert	
tls_client_key	
tls_skip_verify_insecure	
token_url	https://github.com/login/oauth/access_token
auth.gitlab	
allow_sign_up	true
allowed_domains	
allowed_groups	
api_url	https://gitlab.com/api/v4
auth_url	https://gitlab.com/oauth/authorize
client_id	some_id
client_secret	************
email_attribute_name	
email_attribute_path	
enabled	false
hosted_domain	
name	gitlab
role_attribute_path	
scopes	api
tls_client_ca	
tls_client_cert	
tls_client_key	
tls_skip_verify_insecure	
token_url	https://gitlab.com/oauth/token
auth.google	
allow_sign_up	true
allowed_domains	
api_url	https://www.googleapis.com/oauth2/v1/userinfo
auth_url	https://accounts.google.com/o/oauth2/auth
client_id	some_client_id
client_secret	************
email_attribute_name	
email_attribute_path	
enabled	false
hosted_domain	
name	google
role_attribute_path	
scopes	https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email
tls_client_ca	
tls_client_cert	
tls_client_key	
tls_skip_verify_insecure	
token_url	https://accounts.google.com/o/oauth2/token
auth.grafana_com	
allow_sign_up	true
allowed_domains	
allowed_organizations	
api_url	
auth_url	
client_id	some_id
client_secret	************
email_attribute_name	
email_attribute_path	
enabled	false
hosted_domain	
name	grafana_com
role_attribute_path	
scopes	user:email
tls_client_ca	
tls_client_cert	
tls_client_key	
tls_skip_verify_insecure	
token_url	
auth.grafananet	
allow_sign_up	true
allowed_domains	
allowed_organizations	
api_url	
auth_url	
client_id	some_id
client_secret	************
email_attribute_name	
email_attribute_path	
enabled	false
hosted_domain	
name	grafananet
role_attribute_path	
scopes	user:email
tls_client_ca	
tls_client_cert	
tls_client_key	
tls_skip_verify_insecure	
token_url	
auth.ldap	
active_sync_enabled	true
allow_sign_up	true
config_file	/etc/grafana/ldap.toml
enabled	false
sync_cron	0 0 1 * * *
auth.okta	
allow_sign_up	true
allowed_domains	
allowed_groups	
api_url	https://<tenant-id>.okta.com/oauth2/v1/userinfo
auth_url	https://<tenant-id>.okta.com/oauth2/v1/authorize
client_id	some_id
client_secret	************
email_attribute_name	
email_attribute_path	
enabled	false
hosted_domain	
name	Okta
role_attribute_path	
scopes	openid profile email groups
tls_client_ca	
tls_client_cert	
tls_client_key	
tls_skip_verify_insecure	
token_url	https://<tenant-id>.okta.com/oauth2/v1/token
auth.proxy	
auto_sign_up	true
enable_login_token	false
enabled	false
header_name	X-WEBAUTH-USER
header_property	username
headers	
ldap_sync_ttl	60
sync_ttl	60
whitelist	
auth.saml	
enabled	false
single_logout	false
dashboards	
default_home_dashboard_path	
min_refresh_interval	5s
versions_to_keep	20
database	
ca_cert_path	
cache_mode	private
client_cert_path	
client_key_path	
conn_max_lifetime	14400
connection_string	
host	127.0.0.1:3306
log_queries	false
max_idle_conn	2
max_open_conn	0
name	grafana
password	************
path	grafana.db
server_cert_name	
skip_migrations	
ssl_mode	disable
type	sqlite3
url	
user	root
dataproxy	
expect_continue_timeout_seconds	1
idle_conn_timeout_seconds	90
keep_alive_seconds	30
logging	false
max_idle_connections	100
send_user_header	false
timeout	30
tls_handshake_timeout_seconds	10
datasources	
datasource_limit	5000
date_formats	
date_format_use_browser_locale	false
default_timezone	browser
full_date	YYYY-MM-DD HH:mm:ss
interval_day	MM/DD
interval_hour	MM/DD HH:mm
interval_minute	HH:mm
interval_month	YYYY-MM
interval_second	HH:mm:ss
interval_year	YYYY
use_browser_locale	false
emails	
templates_pattern	emails/*.html
welcome_email_on_sign_up	false
enterprise	
license_path	/var/lib/grafana/license.jwt
explore	
enabled	true
expressions	
enabled	true
external_image_storage	
provider	
external_image_storage.azure_blob	
account_key	
account_name	
container_name	
external_image_storage.gcs	
bucket	
enable_signed_urls	false
key_file	
path	
signed_url_expiration	
external_image_storage.local	
external_image_storage.s3	
access_key	
bucket	
bucket_url	
endpoint	
path	
path_style_access	
region	
secret_key	************
external_image_storage.webdav	
password	************
public_url	
url	
username	
feature_toggles	
enable	
grafana_com	
url	https://grafana.com
grafana_net	
url	https://grafana.com
log	
filters	
level	info
mode	console file
log.console	
format	console
level	info
log.file	
daily_rotate	true
file_name	/var/log/grafana/grafana.log
format	text
level	info
log_rotate	true
max_days	7
max_lines	1000000
max_size_shift	28
log.frontend	
custom_endpoint	/log
enabled	false
log_endpoint_burst_limit	15
log_endpoint_requests_per_second_limit	3
sample_rate	1.0
sentry_dsn	
log.syslog	
address	
facility	
format	text
level	
network	
tag	
metrics	
basic_auth_password	************
basic_auth_username	
disable_total_stats	false
enabled	true
interval_seconds	10
metrics.environment_info	
metrics.graphite	
address	
prefix	prod.grafana.%(instance_name)s.
panels	
disable_sanitize_html	false
enable_alpha	false
paths	
data	/var/lib/grafana
logs	/var/log/grafana
plugins	/var/lib/grafana/plugins
provisioning	/etc/grafana/provisioning
temp_data_lifetime	24h
plugin.grafana-image-renderer	
grpc_host	
grpc_port	
rendering_args	
rendering_chrome_bin	
rendering_clustering_max_concurrency	
rendering_clustering_mode	
rendering_dumpio	
rendering_ignore_https_errors	
rendering_language	
rendering_mode	
rendering_timezone	
rendering_verbose_logging	
rendering_viewport_device_scale_factor	
rendering_viewport_max_device_scale_factor	
rendering_viewport_max_height	
rendering_viewport_max_width	
plugins	
allow_loading_unsigned_plugins	
app_tls_skip_verify_insecure	false
enable_alpha	false
marketplace_url	https://grafana.com/grafana/plugins/
quota	
enabled	false
global_api_key	-1
global_dashboard	-1
global_data_source	-1
global_org	-1
global_session	-1
global_user	-1
org_api_key	10
org_dashboard	100
org_data_source	10
org_user	10
user_org	10
remote_cache	
connstr	
type	database
rendering	
callback_url	
concurrent_render_request_limit	30
server_url	
security	
admin_password	************
admin_user	admin
allow_embedding	true
content_security_policy	false
content_security_policy_template	script-src 'unsafe-eval' 'strict-dynamic' $NONCE;object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data:;base-uri 'self';connect-src 'self' grafana.com;manifest-src 'self';media-src 'none';form-action 'self';
cookie_samesite	lax
cookie_secure	false
data_source_proxy_whitelist	
disable_brute_force_login_protection	false
disable_gravatar	false
disable_initial_admin_creation	false
secret_key	************
strict_transport_security	false
strict_transport_security_max_age_seconds	86400
strict_transport_security_preload	false
strict_transport_security_subdomains	false
x_content_type_options	true
x_xss_protection	true
server	
cdn_url	
cert_file	
cert_key	
domain	localhost
enable_gzip	false
enforce_domain	false
http_addr	0.0.0.0
http_port	3000
protocol	http
root_url	%(protocol)s://%(domain)s:%(http_port)s/
router_logging	false
serve_from_sub_path	false
socket	/tmp/grafana.sock
static_root_path	public
smtp	
cert_file	
ehlo_identity	
enabled	false
from_address	admin@grafana.localhost
from_name	Grafana
host	localhost:25
key_file	
password	************
skip_verify	false
startTLS_policy	
user	
snapshots	
external_enabled	true
external_snapshot_name	Publish to snapshot.raintank.io
external_snapshot_url	https://snapshots-origin.raintank.io
public_mode	false
snapshot_remove_expired	true
tracing.jaeger	
address	
always_included_tag	
disable_shared_zipkin_spans	false
sampler_param	1
sampler_type	const
sampling_server_url	
zipkin_propagation	false
users	
allow_org_create	false
allow_sign_up	false
auto_assign_org	true
auto_assign_org_id	1
auto_assign_org_role	Viewer
default_theme	dark
editors_can_admin	false
external_manage_info	
external_manage_link_name	
external_manage_link_url	
hidden_users	
login_hint	email or username
password_hint	************
user_invite_max_lifetime_duration	24h
verify_email_enabled	false
viewers_can_edit	false
7

+1 for conf file markdown formatting, -10 that conf section are not readable and that looks like a default config - a lot of default rubbish lines, which are obviously not used (it looks like you really want to waste my time :frowning: )

You are not using secure cookie, so that’s a problem for SameSite=None in the chrome:

Any cookie with the “SameSite=None” label must also have a secure flag, meaning it will only be created and sent through requests made over HTTPs.

That’s one obvious issue. Please don’t expect that cookie_samesite = none and cookie_secure = false solve the problem. Highlighting: “it will only be created and sent through requests made over HTTPs”. So make proper secure setup: proper HTTPS and proper cookie config and it will be working fine.

8

Thank you very much.

9

This topic was automatically closed after 365 days. New replies are no longer allowed.