Security

Splunk not re-authenticating when browser re-loaded

Path Finder

I had posted this as another topic, but found out more information. We noticed while we were testing scripted input that when you log into Splunk, close a web browser (IE/Firefox/Chrome), then re-launch web browser and go to the same Splunk site you will not be asked for your login credentials again until system times out.

This happens if you are using local Splunk authentication or scripted authentication.

It seems the only way to get Splunk to require login again is if you clear cookies when you close your web browser. (some people seem to have their browsers set to do this by default, others (we) do not).

Are there any settings within Splunk to require re-authentication on a new browser session?

Tags (1)
1 Solution

Splunk Employee
Splunk Employee

UPDATE: this was implemented as of Splunk 4.3. Please see: http://blogs.splunk.com/2012/01/10/splunk4-3-shiny-new-security-features/

Old answer:

We are considering implementing the option for a non-persistent cookie, which means that it would go away when the browser closes.

However, if a user never closes their browser, they would not be subject to the 24 hour expiration that our current cookie content expiration provides.

Either way, this is largely mitigated by server-side UI activity and session timeouts, which you can set to as low as 5 minutes. These settings can be found in the server-side settings can be set in $SPLUNK_HOME/etc/system/local/web.conf:

ui_inactivity_timeout = <integer>
   * Specifies the length of time lapsed (in minutes) for notification when there is no user interface clicking, mouseover, scrolling or resizing.
   * Notifies client side pollers to stop, resulting in sessions expiring at the tools.sessions.timeout value.
   * If less than 1, results in no timeout notification ever being triggered (Sessions will stay alive for as long as the browser is open).
   * Defaults to 60 minutes

tools.sessions.timeout = <integer>
   * Specifies the number of minutes of inactivity before a user session is expired
   * The countdown is effectively reset by browser activity minute until
     ui_inactivity_timeout inactivity timeout is reached.
   * Use a value of 2 or higher, as a value of 1 will race with the browser
     refresh, producing unpredictable behavior.
     (Low values aren't very useful though except for testing.)
   * Defaults to 60

Here is an example configuration that would produce sessions that timeout after 5 minutes of inactivity:

[settings]
ui_inactivity_timeout = 2
tools.sessions.timeout = 3

View solution in original post

Splunk Employee
Splunk Employee

UPDATE: this was implemented as of Splunk 4.3. Please see: http://blogs.splunk.com/2012/01/10/splunk4-3-shiny-new-security-features/

Old answer:

We are considering implementing the option for a non-persistent cookie, which means that it would go away when the browser closes.

However, if a user never closes their browser, they would not be subject to the 24 hour expiration that our current cookie content expiration provides.

Either way, this is largely mitigated by server-side UI activity and session timeouts, which you can set to as low as 5 minutes. These settings can be found in the server-side settings can be set in $SPLUNK_HOME/etc/system/local/web.conf:

ui_inactivity_timeout = <integer>
   * Specifies the length of time lapsed (in minutes) for notification when there is no user interface clicking, mouseover, scrolling or resizing.
   * Notifies client side pollers to stop, resulting in sessions expiring at the tools.sessions.timeout value.
   * If less than 1, results in no timeout notification ever being triggered (Sessions will stay alive for as long as the browser is open).
   * Defaults to 60 minutes

tools.sessions.timeout = <integer>
   * Specifies the number of minutes of inactivity before a user session is expired
   * The countdown is effectively reset by browser activity minute until
     ui_inactivity_timeout inactivity timeout is reached.
   * Use a value of 2 or higher, as a value of 1 will race with the browser
     refresh, producing unpredictable behavior.
     (Low values aren't very useful though except for testing.)
   * Defaults to 60

Here is an example configuration that would produce sessions that timeout after 5 minutes of inactivity:

[settings]
ui_inactivity_timeout = 2
tools.sessions.timeout = 3

View solution in original post

Splunk Employee
Splunk Employee

Checked this and i do not think there is any config in splunk that forces user to re-authenticate on a browser session.
The way it currently works is timeout on session based on activity.
I think, you can make it work with browser session, however this will break the timeout based on activity, which means if you leave your browser on it will keep splunk logged in. This is more of a security issue then the way it is right now.

Options:
* log out before you close your browser
* set up your browser to kill the splunk cookie on browser close.

Hope this helps,
.gz

0 Karma

Splunk Employee
Splunk Employee

we use CherryPy for our HTTP framework http://www.cherrypy.org/ - i am not sure if it is a limitation on this, or the way we are using it. You could file an enhancement request with support@splunk.com (or through the web). Perhaps some of our UI engineers can add more to this.

0 Karma

Path Finder

Thanks, that is what I thought. How do other sites do both? My bank's site (and most of our other corporate sites) has idle timeout (15 min) as well as session login (next time I go to site I need to log in). How do other sides do this then? Seems like a Splunk limitation.

0 Karma