[Security UI] Infinite Redirect Triggered when switching basePaths

[elasticmachine]

Original comment by @pickypg:

!LINK REDACTED

A look at the cookies for the initial proxied request (running via npm start) via a look at the login page's redirect:

!LINK REDACTED

They all seem to follow the same pattern. The login page itself gets the same cookie without the empty, secure sid.

@lukasolson guessed that I had used Kibana + X-Pack without SSL in the past, which is 100% correct. This lead to an insecure sid cookie, which seems to cause trouble when SSL suddenly gets turned on.

Manually deleting the cookie resolved the issue (as did private browsing).

[elasticmachine]

Original comment by @lukasolson:

This actually seems to be unrelated to SSL, but rather running the Kibana server at the root of a host, then later running the server on the same host but with a base path. The cookies get into a funky state because there are multiple cookies with the same name but different paths.

[elasticmachine]

Original comment by @lukasolson:

Waiting on feedback from hapijs/statehood#29.

[elasticmachine]

Original comment by @lukasolson:

Now that hapijs/statehood#29 has been merged and the version of statehood has been bumped to 5.0.1, to take advantage of this change we'll need to update hapi to 15.0.1+.

[legrego]

Resolved in 7.6.0 via #50452