https://community.splunk.com/t5/Security/Splunk-CAC-login-SSO-cookie-length/m-p/327661#M8403 <P>Which part, that you might have such a device or that one might exist?</P> Mon, 24 Jul 2017 20:15:11 GMT jkat54 2017-07-24T20:15:11Z https://community.splunk.com/t5/Security/Splunk-CAC-login-SSO-cookie-length/m-p/327657#M8399 <P>I'm playing with Splunk 6.6.0 and DOD CAC login (X509 client certificates on a smartcard). The documentation says the REMOTE_USER must be in every request, but testing shows this isn't necessarily true, I think. Once the user received a session cookie, I was able to remove the header and stay signed in. In fact, I could close the browser and re-open it and the session was still alive. The cookie was set to expire in 10 years I believe, but I'm sure after 1hr of inactivity the server-side expires it.</P> <P>Since client SSL auth and cert extraction is said to be an expensive operation, I thought I'd only request it once. This is what our web mail does. But I have also read that a per-location ssl verify requires a secure renegotiation and is better done with a separate domain or port. Our web mail uses a different port. So I was thinking of doing a redirect from when Splunk sends the user to /en-US/account/login to go to a separate VirtualHost that has "SSLVerifyClient required" and passes REMOTE_USER from %{SSL_CLIENT_SAN_OTHER_msUPN_0}e which maps to userPrincipleName in LDAP to Active Directory...</P> <P>I believe this is a much better way than the previous solutions on here, but:</P> <OL> <LI>Can I rely on passing the REMOTE_USER just once? (perhaps I misunderstood documentation)</LI> <LI>Can I get the browser cookie set by Splunk to expire on close? Without editing headers in Apache?</LI> <LI>If #1 is false, perhaps I can use my own mod_session setup, and welcome ideas, as I've little experience in cookie security and cross-site attacks.</LI> </OL> Tue, 29 Sep 2020 15:02:45 GMT https://community.splunk.com/t5/Security/Splunk-CAC-login-SSO-cookie-length/m-p/327657#M8399 neutronscott 2020-09-29T15:02:45Z https://community.splunk.com/t5/Security/Splunk-CAC-login-SSO-cookie-length/m-p/327658#M8400 <P>"In fact, I could close the browser and re-open it and the session was still alive"</P> <P>I find this hard to believe unless you had otnher browser windows open or have a network device that is caching cookies.</P> Sun, 23 Jul 2017 13:21:32 GMT https://community.splunk.com/t5/Security/Splunk-CAC-login-SSO-cookie-length/m-p/327658#M8400 jkat54 2017-07-23T13:21:32Z https://community.splunk.com/t5/Security/Splunk-CAC-login-SSO-cookie-length/m-p/327659#M8401 <BLOCKQUOTE> <P>"or have a network device that is caching cookies."</P> </BLOCKQUOTE> <P>I find this hard to believe.</P> Mon, 24 Jul 2017 16:59:13 GMT https://community.splunk.com/t5/Security/Splunk-CAC-login-SSO-cookie-length/m-p/327659#M8401 neutronscott 2017-07-24T16:59:13Z https://community.splunk.com/t5/Security/Splunk-CAC-login-SSO-cookie-length/m-p/327660#M8402 <P>I think the answers are:</P> <OL> <LI>yes</LI> <LI>tools.sessions.restart_persist = false</LI> </OL> <P>This should greatly improve performance as the client certificates aren't verified with each connection.</P> Mon, 24 Jul 2017 18:58:42 GMT https://community.splunk.com/t5/Security/Splunk-CAC-login-SSO-cookie-length/m-p/327660#M8402 neutronscott 2017-07-24T18:58:42Z https://community.splunk.com/t5/Security/Splunk-CAC-login-SSO-cookie-length/m-p/327661#M8403 <P>Which part, that you might have such a device or that one might exist?</P> Mon, 24 Jul 2017 20:15:11 GMT https://community.splunk.com/t5/Security/Splunk-CAC-login-SSO-cookie-length/m-p/327661#M8403 jkat54 2017-07-24T20:15:11Z