Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk not re-authenticating when browser re-loaded

tawollen
Path Finder
‎10-05-2010 05:57 PM

I had posted this as another topic, but found out more information. We noticed while we were testing scripted input that when you log into Splunk, close a web browser (IE/Firefox/Chrome), then re-launch web browser and go to the same Splunk site you will not be asked for your login credentials again until system times out.

This happens if you are using local Splunk authentication or scripted authentication.

It seems the only way to get Splunk to require login again is if you clear cookies when you close your web browser. (some people seem to have their browsers set to do this by default, others (we) do not).

Are there any settings within Splunk to require re-authentication on a new browser session?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎10-05-2010 08:26 PM

UPDATE: this was implemented as of Splunk 4.3. Please see: http://blogs.splunk.com/2012/01/10/splunk4-3-shiny-new-security-features/

Old answer:

We are considering implementing the option for a non-persistent cookie, which means that it would go away when the browser closes.

However, if a user never closes their browser, they would not be subject to the 24 hour expiration that our current cookie content expiration provides.

Either way, this is largely mitigated by server-side UI activity and session timeouts, which you can set to as low as 5 minutes. These settings can be found in the server-side settings can be set in $SPLUNK_HOME/etc/system/local/web.conf:

ui_inactivity_timeout = <integer>
   * Specifies the length of time lapsed (in minutes) for notification when there is no user interface clicking, mouseover, scrolling or resizing.
   * Notifies client side pollers to stop, resulting in sessions expiring at the tools.sessions.timeout value.
   * If less than 1, results in no timeout notification ever being triggered (Sessions will stay alive for as long as the browser is open).
   * Defaults to 60 minutes

tools.sessions.timeout = <integer>
   * Specifies the number of minutes of inactivity before a user session is expired
   * The countdown is effectively reset by browser activity minute until
     ui_inactivity_timeout inactivity timeout is reached.
   * Use a value of 2 or higher, as a value of 1 will race with the browser
     refresh, producing unpredictable behavior.
     (Low values aren't very useful though except for testing.)
   * Defaults to 60

Here is an example configuration that would produce sessions that timeout after 5 minutes of inactivity:

[settings]
ui_inactivity_timeout = 2
tools.sessions.timeout = 3

View solution in original post

Reply
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎10-05-2010 08:26 PM

UPDATE: this was implemented as of Splunk 4.3. Please see: http://blogs.splunk.com/2012/01/10/splunk4-3-shiny-new-security-features/

Old answer:

We are considering implementing the option for a non-persistent cookie, which means that it would go away when the browser closes.

However, if a user never closes their browser, they would not be subject to the 24 hour expiration that our current cookie content expiration provides.

Either way, this is largely mitigated by server-side UI activity and session timeouts, which you can set to as low as 5 minutes. These settings can be found in the server-side settings can be set in $SPLUNK_HOME/etc/system/local/web.conf:

ui_inactivity_timeout = <integer>
   * Specifies the length of time lapsed (in minutes) for notification when there is no user interface clicking, mouseover, scrolling or resizing.
   * Notifies client side pollers to stop, resulting in sessions expiring at the tools.sessions.timeout value.
   * If less than 1, results in no timeout notification ever being triggered (Sessions will stay alive for as long as the browser is open).
   * Defaults to 60 minutes

tools.sessions.timeout = <integer>
   * Specifies the number of minutes of inactivity before a user session is expired
   * The countdown is effectively reset by browser activity minute until
     ui_inactivity_timeout inactivity timeout is reached.
   * Use a value of 2 or higher, as a value of 1 will race with the browser
     refresh, producing unpredictable behavior.
     (Low values aren't very useful though except for testing.)
   * Defaults to 60

Here is an example configuration that would produce sessions that timeout after 5 minutes of inactivity:

[settings]
ui_inactivity_timeout = 2
tools.sessions.timeout = 3
Reply
Solved! Jump to solution

Genti
Splunk Employee
Splunk Employee
‎10-05-2010 06:42 PM

Checked this and i do not think there is any config in splunk that forces user to re-authenticate on a browser session.
The way it currently works is timeout on session based on activity.
I think, you can make it work with browser session, however this will break the timeout based on activity, which means if you leave your browser on it will keep splunk logged in. This is more of a security issue then the way it is right now.

Options:
* log out before you close your browser
* set up your browser to kill the splunk cookie on browser close.

Hope this helps,
.gz

0 Karma
Reply
Solved! Jump to solution

Genti
Splunk Employee
Splunk Employee
‎10-05-2010 07:53 PM

we use CherryPy for our HTTP framework http://www.cherrypy.org/ - i am not sure if it is a limitation on this, or the way we are using it. You could file an enhancement request with support@splunk.com (or through the web). Perhaps some of our UI engineers can add more to this.

0 Karma
Reply
Solved! Jump to solution

tawollen
Path Finder
‎10-05-2010 07:17 PM

Thanks, that is what I thought. How do other sites do both? My bank's site (and most of our other corporate sites) has idle timeout (15 min) as well as session login (next time I go to site I need to log in). How do other sides do this then? Seems like a Splunk limitation.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...