Security

Splunk CAC login / SSO cookie length

neutronscott
New Member

I'm playing with Splunk 6.6.0 and DOD CAC login (X509 client certificates on a smartcard). The documentation says the REMOTE_USER must be in every request, but testing shows this isn't necessarily true, I think. Once the user received a session cookie, I was able to remove the header and stay signed in. In fact, I could close the browser and re-open it and the session was still alive. The cookie was set to expire in 10 years I believe, but I'm sure after 1hr of inactivity the server-side expires it.

Since client SSL auth and cert extraction is said to be an expensive operation, I thought I'd only request it once. This is what our web mail does. But I have also read that a per-location ssl verify requires a secure renegotiation and is better done with a separate domain or port. Our web mail uses a different port. So I was thinking of doing a redirect from when Splunk sends the user to /en-US/account/login to go to a separate VirtualHost that has "SSLVerifyClient required" and passes REMOTE_USER from %{SSL_CLIENT_SAN_OTHER_msUPN_0}e which maps to userPrincipleName in LDAP to Active Directory...

I believe this is a much better way than the previous solutions on here, but:

  1. Can I rely on passing the REMOTE_USER just once? (perhaps I misunderstood documentation)
  2. Can I get the browser cookie set by Splunk to expire on close? Without editing headers in Apache?
  3. If #1 is false, perhaps I can use my own mod_session setup, and welcome ideas, as I've little experience in cookie security and cross-site attacks.
0 Karma

neutronscott
New Member

I think the answers are:

  1. yes
  2. tools.sessions.restart_persist = false

This should greatly improve performance as the client certificates aren't verified with each connection.

0 Karma

jkat54
SplunkTrust
SplunkTrust

"In fact, I could close the browser and re-open it and the session was still alive"

I find this hard to believe unless you had otnher browser windows open or have a network device that is caching cookies.

0 Karma

neutronscott
New Member

"or have a network device that is caching cookies."

I find this hard to believe.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Which part, that you might have such a device or that one might exist?

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...