Question Re: CSRF token validation failed in Technology Q&A

CSRF token validation failed

Former Member — Wed, 16 Jul 2014 05:32:05 GMT

Hi Experts,

I am getting "CSRF token validation failed " error in post method, in OData.request .

our architecture is

Gateway server is common for CRM and ECC

Netweaver Gateway-->CRM,ECC

The POST method is working for CRM services, and it is not working for case of ECC services.

But GET method is working for both CRM services and ECC services.

I tried by passing 'X-CSRF-Token' , but still same problem.

Note : IN SICF for corresponding all service i mentioned ~CHECK_CSRF_TOKEN = 0 in both systems CRM and ECC.

I also tried as per the index.html document in section Cross-Site Request Forgery (CSRF) of the link

Getting Started with Kapsel - Appendix D -- Security but still same problem

Daniel Van Leeuwen

Thanks in advacne

Suresh

Tags edited by: Michael Appleby

Re: CSRF token validation failed

Former Member — Wed, 16 Jul 2014 06:38:40 GMT

Hi,

Did you try testing these services in browser rest client like postman or advanced rest client, Have you deployed these services in SMP, if yes then what is the SMP/SUP version, which native language you are using to call the services?

Regards,

Abhishek Wajge

Re: CSRF token validation failed

Former Member — Wed, 16 Jul 2014 07:16:31 GMT

Hi Abhishek Wajge,

Thanks for input,

we are testing from disable-web-security chrome,

We are using OData.request () for post method in javascript.

I given ~CHECK_CSRF_TOKEN = 0, for all the services in SICF of Netweaver Gateway.

Then service for CRM is workinf fine, But service for ECC not working

In ECC we are getting "CSRF token validation failed" message.

Is there any settings need to be done for the same in RZ10 of ECC?

What i observed is, if i remove ~CHECK_CSRF_TOKEN = 0, then my service is working internally

If i call the service with relay server then it is nt working.

I am calling OData.request() to fetch the token, but i cant get the cookie from this method, which header we need to set to get the cookie.

When i call OData.request() with relay server URL continuously , i am getting different CSRF tocken values .

But if i call OData.request() with local URL, i am getting same URL for a while.

jitendra kansal

Midhun VP

Daniel Van Leeuwen

Thanks in advance

Suresh

Re: CSRF token validation failed

jangold — Tue, 19 Aug 2014 11:09:09 GMT

Hi,

I have no experience with realy server, but I found these problem when I was using SMP server. Are you comunicating with Netweaver Gateway through SMP?

Can you post here headers of get request and response? I would like to see the cookies in response.

Regards,

Re: CSRF token validation failed

Former Member — Tue, 19 Aug 2014 18:05:34 GMT

What version of the Relay Server? Also, are you using this through SMP?

I seem to recall an issue with this combination. I believe the later patches corrected it so you might try updating each.

I think you want to be on SMP 2.3.4 (2.3.3 may work as well) and Relay Server 16.0.1453 or higher

Edgar

Re: CSRF token validation failed

Former Member — Sun, 24 Aug 2014 04:49:03 GMT

HI Edgar,JG

Thanks for reply,

our architecture is gateway-----> ECC, CRM

For the OData services of the CRM , POST method is working,

But OData services for ECC not working.

Is there any settings, we need to do in RZ10?

What i observed is the setting ~CHECK_CSRF_TOKEN = 0 in SICF is not working , for the services of ECC.

Thanks

Suresh Babu

Re: CSRF token validation failed

jangold — Tue, 26 Aug 2014 07:49:21 GMT

Hi Suresh,

I tried to create entiry withou x-csrf-token and the result was 201 Created ;-).

I was following the steps described in configuration for SAP NWGW:

in SICF transaction i found my service and clicked GUI Configuration where i enter ~CHECK_CSRF_TOKEN = 0
in my request client I set up:

URL with path to my service + entity set
method = POST
headers:

Content-Type=application/atom+xml
X-REQUESTED-WITH=XMLHTTPRequest

body with xml of created entity
authentication

And that is all I need to create entity without x-csrf-token.

Hope this information help you.