Getting Data In

Session timeout not only for user inactivity- Is there a way to set a "global" session timeout?

clotti_splunk
Splunk Employee
Splunk Employee

Hi guys,
is there any way to set a "global" session timeout?
Not only for user inactivity but for all users even if they are working!
(I know, this look like a stupid question, but the customer asked it for security reason).
Many thanks.

Labels (1)

splunkreal
Motivator

Hello, this is really needed feature, also it seems http tokens are not accurate, I had one user without any more token and still doing searches. Thanks.

* If this helps, please upvote or accept solution if it solved *
0 Karma

clotti_splunk
Splunk Employee
Splunk Employee

Found the solution (thanks to Support). Sharing it for who is interested:

Within Splunk all user session timeouts are the result of inactivity, so we effectively only close sessions if they exceed the configured idle time and we provide no mechanism to force sessions to expire/terminate.

However, while it's not a supported feature we do track session tokens, so you could fashion your own solution to delete specific tokens (authentication/httpauth-tokens):

https://docs.splunk.com/Documentation/Splunk/7.2.1/RESTREF/RESTaccess#authentication.2Fhttpauth-toke...

You could query the endpoint to list out all session tokens, then delete the token, for example:

curl -k -u admin:changeme https://localhost:8089/services/authentication/httpauth-tokens

curl -k -u admin:changeme --request DELETE https://localhost:8089/services/authentication/httpauth-tokens/vdZv2eB9F0842dyJhrIEiGNTcBMpBeGuwGPYx...

As mentioned above we provide no official mechanism for doing this, but you should be able to use the above to achieve the same result.

Alternatively, since you have CA-Siteminder you should be able to enforce session time limits, through WebAgent-OnAuthAccept-Session-MaxTimeout for example - just note that I am not overly familiar with CA-Siteminder so can't advise on how this should be configured.

Get Updates on the Splunk Community!

Message Parsing in SOCK

Introduction This blog post is part of an ongoing series on SOCK enablement. In this blog post, I will write ...

Exploring the OpenTelemetry Collector’s Kubernetes annotation-based discovery

We’ve already explored a few topics around observability in a Kubernetes environment -- Common Failures in a ...

Use ‘em or lose ‘em | Splunk training units do expire

Whether it’s hummus, a ham sandwich, or a human, almost everything in this world has an expiration date. And, ...