Getting Data In

Session timeout not only for user inactivity

Splunk Employee
Splunk Employee

Hi guys,
is there any way to set a "global" session timeout?
Not only for user inactivity but for all users even if they are working!
(I know, this look like a stupid question, but the customer asked it for security reason).
Many thanks.

0 Karma

Splunk Employee
Splunk Employee

Found the solution (thanks to Support). Sharing it for who is interested:

Within Splunk all user session timeouts are the result of inactivity, so we effectively only close sessions if they exceed the configured idle time and we provide no mechanism to force sessions to expire/terminate.

However, while it's not a supported feature we do track session tokens, so you could fashion your own solution to delete specific tokens (authentication/httpauth-tokens):

https://docs.splunk.com/Documentation/Splunk/7.2.1/RESTREF/RESTaccess#authentication.2Fhttpauth-toke...

You could query the endpoint to list out all session tokens, then delete the token, for example:

curl -k -u admin:changeme https://localhost:8089/services/authentication/httpauth-tokens

curl -k -u admin:changeme --request DELETE https://localhost:8089/services/authentication/httpauth-tokens/vdZv2eB9F0842dyJhrIEiGNTcBMpBeGuwGPYx...

As mentioned above we provide no official mechanism for doing this, but you should be able to use the above to achieve the same result.

Alternatively, since you have CA-Siteminder you should be able to enforce session time limits, through WebAgent-OnAuthAccept-Session-MaxTimeout for example - just note that I am not overly familiar with CA-Siteminder so can't advise on how this should be configured.

0 Karma