Question Re: 403 Forbidden : CSRF token validation failed in Technology Q&A

403 Forbidden : CSRF token validation failed

Private_Member_148162 — Fri, 26 Feb 2016 21:49:08 GMT

Hi,

I have created the Fiori app(version 1.28) in web ide and imported into eclipse.

In component.js config, I have mentioned the complete odata service URL without proxy and opening the application in chrome with argument --disable web security.

I Just did some Odata model binding to items aggregation of table in my xml view.

And yes, I am using OData V2 model(auto generated code in models.js), handling of csrf token is by default true.

I can see the calls are fired one to fetch the CSRF token and the other to GET the data in a batch.

But still, I am facing issue that 403 Forbidden. Not able to understand why this is happening. Please find the attached.

Kindly suggest If I have to do any changes either in my UI5 code, OData Service implementation or Gateway configurations.

Thanks in Advance..!!

With Best Regards,

Phaneendra

Re: 403 Forbidden : CSRF token validation failed

S_Sriram — Sat, 27 Feb 2016 07:05:48 GMT

Hi Phaneendra

Kindly check this SCN link

Regards

Re: 403 Forbidden : CSRF token validation failed

Private_Member_148162 — Sat, 27 Feb 2016 09:50:51 GMT

Hi Sriram,

Thanks for the quick reply. I have already checked this blog.

As explained in the blog, I am not using either of them. But still I am facing the issue.

Thanks,

Phaneendra.

Re: 403 Forbidden : CSRF token validation failed

Former Member — Tue, 01 Mar 2016 17:37:01 GMT

Hello Phaneendra,

Have you checked this -

Please check whether in SICF service is active or not.

Troubleshooting - User Interface Add-On for SAP NetWeaver - SAP Library

Cheers

~Rahul

Re: 403 Forbidden : CSRF token validation failed

amarnath_prasad — Tue, 01 Mar 2016 19:43:25 GMT

1st of all call get method for CSRF token of that service then call your upload url.It will definitely work.Reason is very clear when we are making any modify request(post/update method) framework validate CSRF token(cross site request forgery) & making any non modify request(get method) csrf token returns in header.

Reward if helpful.

Re: 403 Forbidden : CSRF token validation failed

Ivaylo — Wed, 02 Dec 2020 17:29:22 GMT

Hi,

facing the same 403 / Forbidden, although I passed CSRF token from GET to PUT. Passed also cookies and x-requested-with = ‘X’. I've described my scenario in details in responce to:

https://blogs.sap.com/2014/07/11/issues-with-csrf-token-and-how-to-solve-them/

Would appreciate meaningful suggestions.

Thanks

BR,

Ivaylo

Re: 403 Forbidden : CSRF token validation failed

former_member706001 — Tue, 04 May 2021 13:58:48 GMT

Hello

I am facing the same issue, could you find any solution to this problem?

Thanks

Osman

Re: 403 Forbidden : CSRF token validation failed

Ivaylo — Thu, 03 Jun 2021 14:41:15 GMT

Hi Osman,

I think I workarrounded that. I redefined CL_REST_RESOURCE and its IF_REST_RESOURCE~GET method, thus escaping from CSRF cookie problem. This way I don't have any negotiation regarding CRSF, but it worked for my scenario 🙂

BR,

Ivaylo

Re: 403 Forbidden : CSRF token validation failed

quovadis — Mon, 07 Jun 2021 08:53:53 GMT

Hello Community Friends,

The main thing is to pass both the previously fetched x-csrf-token itself along with its session cookie.

The session cookie permits to assert the validity of the x-csrf-token token.

You may want to have a look at the following blog post on 403 where I discuss this matter in more details.

best regards, Piotr

Re: 403 Forbidden : CSRF token validation failed

former_member1150092 — Tue, 13 Jul 2021 20:10:02 GMT

This answer was really helpful.

Re: 403 Forbidden : CSRF token validation failed

former_member6142 — Thu, 17 Feb 2022 12:33:46 GMT

Sometimes there are also issues with the SameSite parameter settings in the backend. Check in the Browser Dev Tools if there are issues with SameSite parameter.