Getting Data In

get session key for included javascript app with logged in user

hkonzmann
Explorer

i have included a react app into the splunk app. its just one aggregated file.
i want to trigger a upload via rest api (receivers/stream) to upload some csv data. my problem is that i need the session key for the request header (authorization: splunk )

i am already logged in as admin and dont want to start a new session via JS. how is it possible to get (best way with JS because i am not able to use python) the current user with session key for my rest api call?

thanks in advantage.

0 Karma
1 Solution

docwalter
Engager

To reuse an existing Splunk web session for Javascript REST API calls, you obviously have to transfer the CSRF cookie content into an HTTP header. This is what works for me (Splunk 6.6.2):

var xhr = new XMLHttpRequest();
xhr.open('POST', '/en-US/splunkd/__raw/services/data/indexes', true);
xhr.setRequestHeader('X-Requested-With', 'XMLHttpRequest');
xhr.setRequestHeader('X-Splunk-Form-Key', document.cookie.match(/splunkweb_csrf_token_8000=(\d+)/)[1]); 
xhr.send("name=mybrandnewindex&output_mode=json")

View solution in original post

docwalter
Engager

To reuse an existing Splunk web session for Javascript REST API calls, you obviously have to transfer the CSRF cookie content into an HTTP header. This is what works for me (Splunk 6.6.2):

var xhr = new XMLHttpRequest();
xhr.open('POST', '/en-US/splunkd/__raw/services/data/indexes', true);
xhr.setRequestHeader('X-Requested-With', 'XMLHttpRequest');
xhr.setRequestHeader('X-Splunk-Form-Key', document.cookie.match(/splunkweb_csrf_token_8000=(\d+)/)[1]); 
xhr.send("name=mybrandnewindex&output_mode=json")

s2_splunk
Splunk Employee
Splunk Employee

Take a look here, do a find on the page for "Retrieve" and take a look at the example code.

0 Karma

hkonzmann
Explorer

@ssievert i have seen this already. this method uses its own login script with a loginmask to store jquery cookies. but if i am already logged in from the default login, the user has a session and a session key. but it is stored in http-only cookies which i cannot read out.

i dont want the user logs in two times.

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

OK, I see. I didn't notice that. You don't have access to the sessionToken, so the only other option is to try to post to the raw REST endpoint: /en-US/splunkd/__raw/servicesNS/admin/<app>/...
Give that a whirl and let us know what happens.

hkonzmann
Explorer

@ssievert i tried this yesterday and it gives me a CSRF error (CSRF validation failed). i checked splunkd.log and the expected key and the given key is completley identical. i call the rest api via fetch + credentials:same-origin.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...