cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

OData doesn't return CSRF token, why?

Go to solution
former_member190939
Participant

on ‎02-16-2016 12:18 PM

0 Kudos

Hello Experts,

Why does my gateway system not return X-CSRF-Token? It comes undefined. What system settings do I need to check?

Please advise.

oModel = new sap.ui.model.odata.ODataModel(serviceUrl, true, "USER", 'PASS');

OData.request({

       requestUri: serviceUrl + filter,

       method: "GET",

       dataType: 'json',

       user: "USER", password: "PASS",

       headers:

        {

           "X-Requested-With": "XMLHttpRequest",

           "Content-Type": "application/json; charset=utf-8",

           "DataServiceVersion": "2.0",

           "X-CSRF-Token":"Fetch"  

       }         

     },

     function (data, response){

     csrftokenGlobal = response.headers['x-csrf-token'];     // undefined

     },

     function(err){}

     );

Thank you,
Seyed Ismail

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

EkanshCapgemini
Active Contributor
‎02-16-2016 12:58 PM

Hi Seyed,

As per this document on CSRF tokens Cross-Site Request Forgery Protection - SAP Gateway Foundation (SAP_GWFND) - SAP Library , there are two possible scenarios:



1. A CSRF token is only generated after authentication on the server. Therefore, modifying operations for public services that do not require authentication, are not supported by the CSRF token-based protection.

You need to check whether any username/password in harcoded in the SICF node. If it is hardcoded, please remove the credentials.



2. Cookies must be sent back to the server. HTTPS must be used if the server sends secure cookies.




Applicable for modifying requests with HTTP: If the HTTP status code 403 (forbidden) is displayed together with the information that a valid CSRF token is required, check that the profile parameterlogin/ticket_only_by_https is set to 0 (false) and not 1 (true) in transaction Maintain Profile Parameters (RZ11). By setting the value of this profile parameter to 0, you can enable the use of cookies for HTTP.

Regards,

Ekansh

Show replies
Show replies
former_member190939
Participant
‎02-16-2016 1:35 PM
0 Kudos

Hi Ekansh,

Yes, I have defaulted the user credentials in my service. I removed and it worked, thank you.

Seyed Ismail.

Answers (0)

Ask a Question