express-ntlm returning the wrong user
Question
I'm using express-ntlm to get the current user's windows ID in an intranet setting. It works fine most of the time, but occasionally it will return the ID of a completely different person. I'm guessing this is something to do with sessions maybe?
const ntlm = require('express-ntlm');
module.exports = app => {
app.use(
ntlm({
debug: function() {
var args = Array.prototype.slice.apply(arguments);
console.log.apply(null, args);
},
domain: 'MS',
domaincontroller: 'ldap://something.com'
})
);
app.post('/get-user-details/', (req, res) => {
console.log(req.ntlm.UserName); //Returns correct user most of the time, but sometimes it returns different person who open site at the same time
});
1 answers
solution1
1 2019-05-26 13:57:17
Unfortunately NTLM authenticates connections, not sessions. Which was fine in the past, but doesn't make sense anymore, since browser tend to open multiple connections at once to speed up page loading and reverse proxies are sharing connections to the backend. That's where the problem is: Your reverse proxy will reuse already authenticated connections to the backend, and therefore mix up users. To mitigate this issue, you have to make sure your reverse proxy has NTLM support enabled.
There is still an open pull request for express-ntlm that adds a Keep-Alive property which might solve this issue, unfortunately it's widely untested and first needs to be verified.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.