Splunk Search

consistent redirection problem

dianbo_1
Path Finder

I noticed the following item in 4.1.4' change logs

Consistent redirect to login page when running searches in Splunk Web. (SPL-31268)

, but i always ran into consistent redirection sometimes in my application in 4.1.4, and i do not know if it is because of the apache proxy in front of it. Any one can help? Thanks,

*** UPDATE ***

Hi Simeon,

Thanks for your answer, i post some logs below. I do not know if it is because of the following reason that a colleague who is in the USA and me in China using splunk with the same user -- admin. Different browsers ,different timezones, same user, sessiontimeout is set to 24 hours, ......, which i guess may be the reason for the consistent redirect. Any opinions about this? Thanks,

2010-08-16 14:06:04,482 WARNING [4c6929ac7a16c8d4d0] decorators:86 - CSRF: validation failed because client XHR did not include proper header
2010-08-16 14:06:04,482 INFO    [4c6929ac7a16c8d4d0] decorators:87 - CSRF: clientSession=fe890db10b4f24d7bfa37e020b512432f33ad4c0 serverSession=0d8bdbe313994f239849d103d8756645884d2318
2010-08-16 14:06:04,482 WARNING [4c6929ac7a16c8d4d0] decorators:91 - CSRF: skipping 401 redirect response because endpoint did not request protection
2010-08-16 14:06:04,482 ERROR   [4c6929ac7a16c8d4d0] utility:59 - name=javascript, class=Splunk.Error, lineNumber=0, message=uncaught exception: [Exception... "Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIXMLHttpRequest.status]"  nsresult: "0x80040111 (NS_ERROR_NOT_AVAILABLE)"  location: "JS frame :: http://192.168.18.192/splunk/en-US/static/@82143/js/splunk.jquery.csrf_protection.js :: anonymous :: line 56"  data: no], fileName=
2010-08-16 14:06:05,829 INFO    [4c6929add316c8d7d0] cached:69 - memoized decorator used on function <function getEntities at 0x15f8e5f0> with non hashable arguments
2010-08-16 14:06:06,465 INFO    [4c6929add316c8d7d0] view:1228 - PERF - viewTime=0.5841s templateTime=0.0518s

......

2010-08-17 11:21:49,686 INFO    [4c6a54acfa16c5a710] view:1228 - PERF - viewTime=0.653s templateTime=0.0527s
2010-08-17 11:22:06,684 WARNING [4c6a54beae16cb8090] decorators:86 - CSRF: validation failed because client XHR did not include proper header
2010-08-17 11:22:06,684 INFO    [4c6a54beae16cb8090] decorators:87 - CSRF: clientSession=ab55c1eb9a93ce39fdb1d4aa80bd3905f03c9006 serverSession=e7bc65fc4aed53ade97d43acad7fa3e7c72c1a65
2010-08-17 11:22:10,127 WARNING [4c6a54c22016db15d0] decorators:86 - CSRF: validation failed because client XHR did not include proper header
2010-08-17 11:22:10,128 INFO    [4c6a54c22016db15d0] decorators:87 - CSRF: clientSession=ab55c1eb9a93ce39fdb1d4aa80bd3905f03c9006 serverSession=61586a244fac9d3196010ab21f8225df832d0884
2010-08-17 11:22:10,951 INFO    [4c6a54c2f216cb8b90] cached:69 - memoized decorator used on function <function getEntities at 0x15f8e5f0> with non hashable arguments
2010-08-17 11:22:12,771 INFO    [4c6a54c4c216dc0ad0] _cplogging:55 - [17/Aug/2010:11:22:12] HTTP 
Request Headers:
  X-FORWARDED-SERVER: netsee-qa.reston.prod
  REFERER: http://192.168.18.192/netsee/develop/developing.jsp
  ACCEPT-LANGUAGE: zh-cn,zh;q=0.5
  HOST: 192.168.18.190:8087
  ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  ACCEPT-CHARSET: GB2312,utf-8;q=0.7,*;q=0.7
  USER-AGENT: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 ( .NET CLR 3.5.30729)
  CONNECTION: Keep-Alive
  COOKIE: skin=treeview; ac_pas_locale_timezone=en#5fUS#7cEastern#20Standard#20Time; session_id_8087=e8c541c38fd090b3f1f8d5465d5aeec7c4f016f8
  Remote-Addr: 192.168.18.192
  X-FORWARDED-HOST: 192.168.18.192
  X-FORWARDED-FOR: 10.3.6.142
  ACCEPT-ENCODING: gzip,deflate
2010-08-17 11:22:12,772 DEBUG   [4c6a54c4c216dc0ad0] _cplogging:55 - [17/Aug/2010:11:22:12] HTTP Traceback (most recent call last):
  .......

  File "/opt/splunk/lib/python2.6/site-packages/splunk/appserver/mrsparkle/controllers/__init__.py", line 168, in make_url
    return util.make_url(*a, **kw)
  File "/opt/splunk/lib/python2.6/site-packages/splunk/appserver/mrsparkle/lib/util.py", line 223, in make_url
    raise InvalidURLException("Illegal characters in URL")
InvalidURLException: Illegal characters in URL

2010-08-17 11:22:14,731 INFO    [4c6a54c6ba16b8b810] decorators:301 - require_login - no splunkd sessionKey variable set; cherrypy_session=7e3a99b37d3baacc79d7e2e6111d92bdfa7fc244 request_path=/en-US/app/search/dashboard
2010-08-17 11:22:14,732 INFO    [4c6a54c6ba16b8b810] decorators:308 - require_login - redirecting to login
......



2010-08-19 16:15:48,042 INFO    [4c6d3c92da16cb8a90] view:1228 - PERF - viewTime=0.6174s templateTime=0.5697s
2010-08-19 16:15:58,251 INFO    [4c6d3c9e3f16cb8810] cached:69 - memoized decorator used on function <function getEntities at 0x15f8e5f0> with non hashable arguments
2010-08-19 16:15:58,781 WARNING [4c6d3c9e3f16cb8810] viewstate:133 - Found invalid keyname in viewstate stanza: disabled
2010-08-19 16:15:58,901 WARNING [4c6d3c9e3f16cb8810] __opt_splunk_share_splunk_search_mrsparkle_modules_results_page_controls_Count_html:63 - No count assigned; reverting to first value in drop down
2010-08-19 16:15:58,912 INFO    [4c6d3c9e3f16cb8810] view:1228 - PERF - viewTime=0.5795s templateTime=0.0818s
2010-08-19 16:16:33,427 INFO    [4c6d3cc16c16cc5cd0] decorators:301 - require_login - no splunkd sessionKey variable set; cherrypy_session=3db678c055beddf6a321a162fe1959dfd1d9f7c2 request_path=/en-US/api/messages/index
2010-08-19 16:16:33,428 INFO    [4c6d3cc16c16cc5cd0] decorators:305 - require_login - is api/XHR request, raising 401 status
2010-08-19 16:17:12,205 WARNING [4c6d3ce83315969c50] decorators:86 - CSRF: validation failed because client XHR did not include proper header
2010-08-19 16:17:12,206 INFO    [4c6d3ce83315969c50] decorators:87 - CSRF: clientSession=21c5b6e29d9ebded1cc45a4ef495de1bdbb7c3f1 serverSession=74dd0a59bb07c95bd6763c12506a2d995338974e
2010-08-19 16:17:12,322 WARNING [4c6d3ce85216cc5090] decorators:86 - CSRF: validation failed because client XHR did not include proper header
2010-08-19 16:17:12,323 INFO    [4c6d3ce85216cc5090] decorators:87 - CSRF: clientSession=21c5b6e29d9ebded1cc45a4ef495de1bdbb7c3f1 serverSession=a48048cf69e412e00d34dcee51aaaba8116c5bb7
2010-08-19 16:17:16,894 INFO    [4c6d3cece41721ef10] cached:69 - memoized decorator used on function <function getEntities at 0x15f8e5f0> with non hashable arguments
2010-08-19 16:17:17,678 INFO    [4c6d3cedac172e2110] cached:69 - memoized decorator used on function <function getEntities at 0x15f8e5f0> with non hashable arguments
Tags (1)

Johnvey
Contributor

Splunk uses a token (in the form of an HTTP header) to authenticate any HTTP POST requests. What is happening here is that the token passed by the web browser does not match the one on record in Splunkweb. The following lines illustrate this:

2010-08-19 16:17:12,205 WARNING [4c6d3ce83315969c50] decorators:86 - CSRF: validation failed because client XHR did not include proper header
2010-08-19 16:17:12,206 INFO    [4c6d3ce83315969c50] decorators:87 - CSRF: clientSession=21c5b6e29d9ebded1cc45a4ef495de1bdbb7c3f1 serverSession=74dd0a59bb07c95bd6763c12506a2d995338974e

Note that the clientSession does not match the serverSession, which Splunkweb interprets as an authentication failure.

Potential causes are:

  • overly aggressive browser caching
  • improper load balancing configuration
  • improper web proxy configuration

I would flush your cookies for the server and and try accessing the Splunk server without going through the proxy to see if the problem still exists.

Simeon
Splunk Employee
Splunk Employee

This sounds like you are getting auto logged out of the UI. I recommend you check the authentication services to see what users are logged in and the token/session life status. So, check your session/token status during first login and then see what the status is after you are redirected to the login page. The web_access.log and web_service.log might also provide some hints (Please post a snippet if possible).

To check your sessions, log in to the splunkd port via https and specify your user/password. E.G.:

https://splunk-server:8089/services/admin/httpauth-tokens

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...