Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Session timeout not only for user inactivity- Is there a way to set a "global" session timeout?

clotti_splunk
Splunk Employee
Splunk Employee
‎07-19-2019 02:28 AM

Hi guys,
is there any way to set a "global" session timeout?
Not only for user inactivity but for all users even if they are working!
(I know, this look like a stupid question, but the customer asked it for security reason).
Many thanks.

Labels (1)
Labels
Reply

splunkreal
Motivator
‎08-05-2022 12:30 AM

Hello, this is really needed feature, also it seems http tokens are not accurate, I had one user without any more token and still doing searches. Thanks.

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply

clotti_splunk
Splunk Employee
Splunk Employee
‎07-22-2019 12:15 AM

Found the solution (thanks to Support). Sharing it for who is interested:

Within Splunk all user session timeouts are the result of inactivity, so we effectively only close sessions if they exceed the configured idle time and we provide no mechanism to force sessions to expire/terminate.

However, while it's not a supported feature we do track session tokens, so you could fashion your own solution to delete specific tokens (authentication/httpauth-tokens):

https://docs.splunk.com/Documentation/Splunk/7.2.1/RESTREF/RESTaccess#authentication.2Fhttpauth-toke...

You could query the endpoint to list out all session tokens, then delete the token, for example:

curl -k -u admin:changeme https://localhost:8089/services/authentication/httpauth-tokens

curl -k -u admin:changeme --request DELETE https://localhost:8089/services/authentication/httpauth-tokens/vdZv2eB9F0842dyJhrIEiGNTcBMpBeGuwGPYx...

As mentioned above we provide no official mechanism for doing this, but you should be able to use the above to achieve the same result.

Alternatively, since you have CA-Siteminder you should be able to enforce session time limits, through WebAgent-OnAuthAccept-Session-MaxTimeout for example - just note that I am not overly familiar with CA-Siteminder so can't advise on how this should be configured.

Reply
Get Updates on the Splunk Community!

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...