How to Fix Whoops Invalid Csrf Token Please Try Again
Lately, I was struggling with correct treatment of this token. Since I institute some misleading content here in community network, I would like to share with my findings.
What is CSRF, why do nosotros apply CSRF token and how long information technology is valid
CSRF (Cross-site request forgery) is type of attack, when attacker tries to send malicious requests from a website that user visits to some other site where the victim is authenticated. Prevention from this attack is based on keeping security token during user's session and providing it with every modify operation (PUT, Mail, DELETE). If the provided token is non correct, gateway responds with HTTP 403 ("Forbidden") return code. [one, 2]
The validity depends on your settings and SAP_BASIS release. In my case, I found out that the validity of token is set to 30 minutes.
"The validity of the CSRF token depends on the release of the ABAP component SAP_BASIS and on the activation of the security session management (which is controlled via the transaction SICF_SESSIONS on the granularity of SAP clients):
1. Release < 7.03/7.31 or the security session direction is inactive: An own CSRF cookie gets generated (sap-XSRF_<SystemID>_<SAPClient>) and this CSRF token remains valid for 24 hours (86400 seconds).
2. Release >= vii.03/7.31, the validity is bound to the security session, which depends on the system parameter http/security_session_timeout value (see transaction RZ11 for details on this parameter). By default, the security session management is active in these releases." [iii]
When yous do not provide fresh security token with modify request, the user can finish up with 403 mistake bulletin and his recent entry in some form volition be about likely lost. There are dissimilar means how the token is handled.
1st effect – You are using ODataModel for modify operations and not calling refreshSecurityToken() method earlier them
You should be safe anyway. ODataModel has a parameter called bTokenHandling that takes care about token handling. I did not detect information when openui5 started to support this functionality, merely yous can bank check it in debugger that subsequently creating ODataModel instance, bTokenHandling is set to true by default.
And then the consequence of this finding is that you practise not demand to employ method refreshSecurityToken() unless you plough off bTokenHandling or you want to implement some special fuctionallity when refresh fails.
second consequence – You are using datajs library and OData.request for your alter operations
There are several weblog posts in SCN using this library. You lot should fetch CSRF token before every change operation, if you lot want to prevent your user to see HTTP 403 response.
3rd issue – You are using external Remainder client for testing modify performance
If you practise not provide the token, y'all will receive 403 HTTP Forbidden response with post-obit bulletin "CSRF token validation failed".
In this case, you need to first fetch CSRF token, calculation header parameter X-CSRF-Token : Fetch, read its content from response parameter ten-csrf-token and add it manually to header of your testing change asking.
4th issue – You are sending files to SAP Gateway using sap.ui.commons.FileUploader and y'all are getting 403 HTTP response – CSRF token validation failed
Unfortunately, there is no link between fileuploader and ODataModel, then fileuploader needs to handle token validation by itself. Same logic applies here every bit the previous issue. Unfortunately (again), there is no way how to set http header parameter for fileuploader, then you need to redefine it by yourself and change the logic as it is described in this post Re: FileUploader and 10-CSRF-Token?.
Looking forward to your feedback, let me know if some of my assumptions are non correct.
References
[1] Cross-site request forgery – Wikipedia, the free encyclopedia
[ii] https://assistance.sap.com/saphelp_nw74/helpdata/en/b3/5c22518bc72214e10000000a44176d/content.htm
[iii] CSRF Protection – Connectivity – SAP Library
Source: https://blogs.sap.com/2014/07/11/issues-with-csrf-token-and-how-to-solve-them/
Post a Comment for "How to Fix Whoops Invalid Csrf Token Please Try Again"