https://community.sap.com/t5/application-development-and-automation-discussions/csrf-fetch-anomaly-during-rest-api-implementation/m-p/13962544#M2038120 <P>I am implementing a 3rd party integration that uses basic auth (for now), fetches CSRF token and by using the received CSRF Token, I am making subsequent HTTP requests (REST). I am facing a peculiar issue. Let me write it simply:</P><OL><LI>I fetch the CSRF token by putting the correct credentials and receive the token.</LI><LI>I use it to make requests and decide to close the app.</LI><LI>I reopen the app again and it prompts me to enter my credentials again (which it should)</LI><LI>I type random (incorrect) credentials in the username and password fields and click on fetch.</LI><LI>I still get the same token.&nbsp;</LI></OL><P>Now I am not able to understand how that is possible. How does the SAP session management work? I mean if I am able to get the CSRF token regardless of my basic credentials, how is it secure? Or am I missing something in the configuration of the service in SICF? Below are the standard settings of my service that I have not changed.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Anandkarna123_0-1734071256609.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/201144i569385B77833AE20/image-size/medium?v=v2&amp;px=400" role="button" title="Anandkarna123_0-1734071256609.png" alt="Anandkarna123_0-1734071256609.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Anandkarna123_2-1734071306539.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/201146i1B214AFB8C0204F9/image-size/medium?v=v2&amp;px=400" role="button" title="Anandkarna123_2-1734071306539.png" alt="Anandkarna123_2-1734071306539.png" /></span></P><P>My question is:&nbsp;<STRONG>How am I able to get a CSRF Token&nbsp;</STRONG>(the same one which I received when I put the correct creds in the first try)&nbsp;<STRONG>whilst putting in incorrect creds?&nbsp;</STRONG>Also, no matter what the creds, if I do any action (for example: create a HU number via the application), my original username (the one that I used as a part of my correct creds) is recorded in the SAP system (table: VEKP).&nbsp;<BR />Basically, I enter the app with incorrect creds and it seems like SAP thinks that I am the original user again (I don't know via session-cookies or something) and then allows me to make subsequent requests.</P><P><BR /><EM>Note: I am making an axios-get request from my application to the SAP server to get the CSRF token</EM></P> Fri, 13 Dec 2024 06:35:52 GMT Anandkarna123 2024-12-13T06:35:52Z https://community.sap.com/t5/application-development-and-automation-discussions/csrf-fetch-anomaly-during-rest-api-implementation/m-p/13962544#M2038120 <P>I am implementing a 3rd party integration that uses basic auth (for now), fetches CSRF token and by using the received CSRF Token, I am making subsequent HTTP requests (REST). I am facing a peculiar issue. Let me write it simply:</P><OL><LI>I fetch the CSRF token by putting the correct credentials and receive the token.</LI><LI>I use it to make requests and decide to close the app.</LI><LI>I reopen the app again and it prompts me to enter my credentials again (which it should)</LI><LI>I type random (incorrect) credentials in the username and password fields and click on fetch.</LI><LI>I still get the same token.&nbsp;</LI></OL><P>Now I am not able to understand how that is possible. How does the SAP session management work? I mean if I am able to get the CSRF token regardless of my basic credentials, how is it secure? Or am I missing something in the configuration of the service in SICF? Below are the standard settings of my service that I have not changed.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Anandkarna123_0-1734071256609.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/201144i569385B77833AE20/image-size/medium?v=v2&amp;px=400" role="button" title="Anandkarna123_0-1734071256609.png" alt="Anandkarna123_0-1734071256609.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Anandkarna123_2-1734071306539.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/201146i1B214AFB8C0204F9/image-size/medium?v=v2&amp;px=400" role="button" title="Anandkarna123_2-1734071306539.png" alt="Anandkarna123_2-1734071306539.png" /></span></P><P>My question is:&nbsp;<STRONG>How am I able to get a CSRF Token&nbsp;</STRONG>(the same one which I received when I put the correct creds in the first try)&nbsp;<STRONG>whilst putting in incorrect creds?&nbsp;</STRONG>Also, no matter what the creds, if I do any action (for example: create a HU number via the application), my original username (the one that I used as a part of my correct creds) is recorded in the SAP system (table: VEKP).&nbsp;<BR />Basically, I enter the app with incorrect creds and it seems like SAP thinks that I am the original user again (I don't know via session-cookies or something) and then allows me to make subsequent requests.</P><P><BR /><EM>Note: I am making an axios-get request from my application to the SAP server to get the CSRF token</EM></P> Fri, 13 Dec 2024 06:35:52 GMT https://community.sap.com/t5/application-development-and-automation-discussions/csrf-fetch-anomaly-during-rest-api-implementation/m-p/13962544#M2038120 Anandkarna123 2024-12-13T06:35:52Z