Actually, you are logged into Tableau - even with restricted Trusted Tickets. That is why you're able to navigate from viz to viz (in tabs) or even from one workbook to another (via URL actions) - the same workgroup & vizql session is in play . VizQL OR our application server (wgserver) is able to create a new wg session for you - this is authentication. You need to close this WG session to be logged out.
There's really only one way to truly log out of Tableau Server in this scenario, and it's a bit round-about.
- Use some sort of JQuery Plugin that does cookie management to pull the workgroup_sesison_id from the connection to Tableau Server (FYI, this is the same value that gets dropped into the http_requests table in our PostgreSQL database). The value will look something like "2e02da8d99d2e3d76337ee5fcf4f1c72"
- Use the new REST API's ability to signout via a POST request like this:
You'll need to add the wgid above as a header to the POST request:
This tells Tableau Server to close the WG session for the token in the header....and logs the user out of Tableau Server. Since you're doing it completely programmatically, you won't land on the login screen, either.
Right, apologies, we've had this conversation before.
I think I can't get it out of my head that this is not the behavior because of the ordeal I had last year where I had to request a ticket every time to get authentication to work.
How is it possible to read the session id from the cookie if the viz is embedded in a iframe on a different domain? As I understood I can not read the cookie from other domains?
Our client wants to login to an embedded view with different accounts, but he is not able to log out. The only way is to close and restart the browser.
We have an application that contains embedded Tableau visualizations. User authentication and authorization is handled by our app and we are using Tableau trusted authentication to provide tickets to the clients for connecting to Tableau views over the internet. Preventing unauthorized access is very important for our application and therefore we are currently evaluating possible weaknesses and taking extra measures to secure the system (e.g. we are using two factor authentication for all users).
One of the vulnerabilities we have identified is that the Tableau session is left open even after a user logs out from the web application containing the Tableau views. This might allow an attacker to grab the session id and replay requests to Tableau.
Russell is saying that the session id is also stored in http_requests table. However, when looking at the table, it seems like session_id is almost always null (we have some not null values from one month ago, but all rows that are added when accessing the embedded views contain null sesssion_ids).
1. User logs out of main application
2. Application queries Tableau system_users by the user name
3. Application queries Tableau users by the system user id
4. Application queries Tableau sessions by the user id
5. Application calls Tableau REST API to sign out sessions by the session id
You can find the session info when using the 'readonly' user right in the sessions table
system_users.name AS user_name,
WHERE sessions.user_id = users.id AND users.system_user_id = system_users.id
The session_id field there can be used with the REST API signout technique Russell outlines.