Skip to Content
avatar image
Former Member

Getting 'CSRF token validation failed' error while flushing Offline Store in native Offline app

Hi All,

We are developing an Android Native Offline app using SMP 3.0 SDK SP13 PL07 and SMP runtime SP11 PL04. We have our OData services implemented on an S/4 Hana system.

We are able to fetch the data and populate offline store successfully. But when we are trying to do transactions (creating / updating entities) and flushing/refreshing the offline store, we are getting 'CSRF token validation failed' error in one of ODataOfflineStoreRequestErrorListener's callback named 'offlineStoreRequestFailed'.

Also when testing in POSTMAN client, we are getting X-CSRF token when executing Get request by putting 'X-CSRF-Token:Fetch' in request headers. So the service is returning required X-CSRF token.

As per some other blog posts, in case of Offline store implementation we don't have to handle X-CSRF tokens explicitly. So we haven't tried to implement extra code for X-CSRF token handling in client side.

Below is screenshot of POSTMAN client where we have fetched X-CSRF token successfully:


Below are the screen shots of configurations done on SMP server.



Kindly help us out here. Thanks in advance.

Kind Regards:

Shubham Kansal

setting01.jpg (47.8 kB)
setting02.png (13.2 kB)
postman-client.png (111.8 kB)
Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Jan 11, 2017 at 10:41 AM

    Hi Shubham,

    The root cause could be that a stale CSRF token is being sent to the gateway from the odata cookie store that causes CSRF token validation in the backend server resulting in a 403 status returned to the client with the corresponding message from the gateway server that CSRF token validation failed.This can happen in two situations:
    1. The SMP server session is active but the specific endpoint is not accessed for some time and the Gateway session times out. When the endpoint is accessed, a new connection to the gateway is established using the MYSAPSSO2 token from the authenticated SMP session but since the CSRF token stored in the OData cookie store corresponds to the old session, Gateway throws a 403 indicating an error validating the provided CSRF token. So, the customer needs to handle the 403 error from the gateway by fetching the CSRF token again and re-execute the POST request.
    2. The device is left idle and the SMP session times out. When the application is accessed, the device application silently re-establishes a new session to SMP server using stored credentials (assuming basic auth scenario here). When the endpoint is accessed, a new session to the gateway is established if the old session is no longer valid (if the device has been idle for an interval longer than the gateway session timeout) and forwards the CSRF token value from the odp-cookie-store cookie forwarded from the device which contains session information from the previous session.
    Gateway server fails to validate the specified CSRF token and returns a 403.
    To resolve the issue, the client application should be coded to handle the 403 error by fetching the csrf token again and executing the POST operation that encountered the error.



    Add comment
    10|10000 characters needed characters exceeded