I'm playing with Splunk 6.6.0 and DOD CAC login (X509 client certificates on a smartcard). The documentation says the REMOTE_USER must be in every request, but testing shows this isn't necessarily true, I think. Once the user received a session cookie, I was able to remove the header and stay signed in. In fact, I could close the browser and re-open it and the session was still alive. The cookie was set to expire in 10 years I believe, but I'm sure after 1hr of inactivity the server-side expires it.
Since client SSL auth and cert extraction is said to be an expensive operation, I thought I'd only request it once. This is what our web mail does. But I have also read that a per-location ssl verify requires a secure renegotiation and is better done with a separate domain or port. Our web mail uses a different port. So I was thinking of doing a redirect from when Splunk sends the user to /en-US/account/login to go to a separate VirtualHost that has "SSLVerifyClient required" and passes REMOTE_USER from %{SSL_CLIENT_SAN_OTHER_msUPN_0}e which maps to userPrincipleName in LDAP to Active Directory...
I believe this is a much better way than the previous solutions on here, but:
- Can I rely on passing the REMOTE_USER just once? (perhaps I misunderstood documentation)
- Can I get the browser cookie set by Splunk to expire on close? Without editing headers in Apache?
- If #1 is false, perhaps I can use my own mod_session setup, and welcome ideas, as I've little experience in cookie security and cross-site attacks.
