Security

Splunk CAC login / SSO cookie length

neutronscott
New Member

I'm playing with Splunk 6.6.0 and DOD CAC login (X509 client certificates on a smartcard). The documentation says the REMOTE_USER must be in every request, but testing shows this isn't necessarily true, I think. Once the user received a session cookie, I was able to remove the header and stay signed in. In fact, I could close the browser and re-open it and the session was still alive. The cookie was set to expire in 10 years I believe, but I'm sure after 1hr of inactivity the server-side expires it.

Since client SSL auth and cert extraction is said to be an expensive operation, I thought I'd only request it once. This is what our web mail does. But I have also read that a per-location ssl verify requires a secure renegotiation and is better done with a separate domain or port. Our web mail uses a different port. So I was thinking of doing a redirect from when Splunk sends the user to /en-US/account/login to go to a separate VirtualHost that has "SSLVerifyClient required" and passes REMOTE_USER from %{SSL_CLIENT_SAN_OTHER_msUPN_0}e which maps to userPrincipleName in LDAP to Active Directory...

I believe this is a much better way than the previous solutions on here, but:

  1. Can I rely on passing the REMOTE_USER just once? (perhaps I misunderstood documentation)
  2. Can I get the browser cookie set by Splunk to expire on close? Without editing headers in Apache?
  3. If #1 is false, perhaps I can use my own mod_session setup, and welcome ideas, as I've little experience in cookie security and cross-site attacks.
0 Karma

neutronscott
New Member

I think the answers are:

  1. yes
  2. tools.sessions.restart_persist = false

This should greatly improve performance as the client certificates aren't verified with each connection.

0 Karma

jkat54
SplunkTrust
SplunkTrust

"In fact, I could close the browser and re-open it and the session was still alive"

I find this hard to believe unless you had otnher browser windows open or have a network device that is caching cookies.

0 Karma

neutronscott
New Member

"or have a network device that is caching cookies."

I find this hard to believe.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Which part, that you might have such a device or that one might exist?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...