The is_valid_cherrypy_session_id() function indicates whether or not the specified token is equivalent to the Splunk session token stored in the CherryPy session.
The @expose_page decorator, uses this function as part of CSRF protection on POST requests.
tokenIdF = is_valid_cherrypy_session_id( token )
|
token |
String |
Token to compare to the Splunk session token. |
|
Boolean |
Token matches Splunk session token indication: True = The token is equivalent to the Splunk session token. False = The token is not equivalent to the Splunk session token. |
def expose_page(must_login=True, handle_api=False, methods=None, verify_session=True, verify_sso=True, trim_spaces=False):
@decorator
def check(fn, self, *a, **kw):
is_api = util.is_api()
request = cherrypy.request
... elided ...
if verify_session and request.method == 'POST' and not cherrypy.config.get('environment') == 'test_suite':
is_xhr = util.is_xhr()
session_id = request.headers.get('X-Splunk-Session') if is_xhr else request.params.get('splunk_session_id')
if not util.is_valid_cherrypy_session_id(session_id):
if is_xhr:
logger.warn('CSRF: validation failed because client XHR did not include proper header')
else:
logger.warn('CSRF: validation failed because HTTP POST did not include expected parameter')
... elided ...