Security

Splunk CAC login / SSO cookie length

New Member

I'm playing with Splunk 6.6.0 and DOD CAC login (X509 client certificates on a smartcard). The documentation says the REMOTE_USER must be in every request, but testing shows this isn't necessarily true, I think. Once the user received a session cookie, I was able to remove the header and stay signed in. In fact, I could close the browser and re-open it and the session was still alive. The cookie was set to expire in 10 years I believe, but I'm sure after 1hr of inactivity the server-side expires it.

Since client SSL auth and cert extraction is said to be an expensive operation, I thought I'd only request it once. This is what our web mail does. But I have also read that a per-location ssl verify requires a secure renegotiation and is better done with a separate domain or port. Our web mail uses a different port. So I was thinking of doing a redirect from when Splunk sends the user to /en-US/account/login to go to a separate VirtualHost that has "SSLVerifyClient required" and passes REMOTEUSER from %{SSLCLIENTSANOTHERmsUPN0}e which maps to userPrincipleName in LDAP to Active Directory...

I believe this is a much better way than the previous solutions on here, but:

  1. Can I rely on passing the REMOTE_USER just once? (perhaps I misunderstood documentation)
  2. Can I get the browser cookie set by Splunk to expire on close? Without editing headers in Apache?
  3. If #1 is false, perhaps I can use my own mod_session setup, and welcome ideas, as I've little experience in cookie security and cross-site attacks.
0 Karma

New Member

I think the answers are:

  1. yes
  2. tools.sessions.restart_persist = false

This should greatly improve performance as the client certificates aren't verified with each connection.

0 Karma

SplunkTrust
SplunkTrust

"In fact, I could close the browser and re-open it and the session was still alive"

I find this hard to believe unless you had otnher browser windows open or have a network device that is caching cookies.

0 Karma

New Member

"or have a network device that is caching cookies."

I find this hard to believe.

0 Karma

SplunkTrust
SplunkTrust

Which part, that you might have such a device or that one might exist?

0 Karma