cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

csrf-token error

Go to solution
Former Member

on ‎10-31-2013 9:26 AM

0 Kudos

hi,

I have disabled the csrf token for a service with POST(CREATE) method.

But still when i call the service from rest client in firefox i get error saying CSRF token validation failed.

I have gone through the documentation of SAP regarding that and done all the steps but still it is not working.

Any help / guidance to resolve this would be much appreciated!

Best regards,

Jagruti

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

RalfHandl
Product and Topic Expert
Product and Topic Expert
‎11-26-2013 8:55 AM

Hi Jagruti,

You cannot disable CSRF protection completely. Setting ~CHECK_CSRF_TOKEN=0 only switches back to a less secure mechanism that requires you to provide a constant HTTP header

    X-Requested-With: X

in your data modification request.

Hope this helps!

--Ralf

Show replies
Show replies

Answers (3)

Answers (3)

Former Member
‎12-05-2013 11:55 AM
0 Kudos

Hello,

I have the same problem.

Regards

Vladislav

Show replies
Show replies
RalfHandl
Product and Topic Expert
Product and Topic Expert
‎12-09-2013 12:43 PM
0 Kudos

Hi Vladislav,

Have you tried providing the header

    X-Requested-With: X

after setting ~CHECK_CSRF_TOKEN=0? You cannot completely switch off CSRF protection, you can only switch to the less save variant using the constant header instead of the token.

Hope this helps!
--Ralf

former_member186439
Participant
‎12-11-2013 6:30 PM
0 Kudos

I discovered that if you make your service Anonymous, you cannot disable the check. 

Former Member
‎12-12-2013 7:00 AM
0 Kudos

how do you mean "Anonymous"?

Regards

Vladislav

former_member186439
Participant
‎12-12-2013 1:05 PM
0 Kudos

Anonymous means "no authentication required".  I'm not a Basis person, so I cannot tell you the exact place in SICF where this is configured.

Former Member
‎11-15-2013 12:39 PM
0 Kudos

Hi,

I just ran into the same problem.

My NW 7.02 is running GW 2.0 SP6, but I guess that doesn't matter, because the CSRF-Token is handled purely by ICF, right?

I set ~CHECK_CSRF_TOKEN = 0 in my service (I am pretty sure that I got the right service in SICF!). This caused the following behaviour:

  • Still got the message about the invalid CSRF token when trying to POST
  • However, when I do a GET with header X-CSRF-Token : fetch, then the response header does not contain the token.

I switched back to ~CHECK_CSRF_TOKEN = 1 and then everything works as before.

Björn

Show replies
Show replies
Vlad
Advisor
Advisor
‎10-31-2013 12:47 PM
0 Kudos

Hello Jagruti,

How did you disable it? As described here - http://help.sap.com/saphelp_gateway20sp07/helpdata/en/89/ea6a0543dc4e13b20b3462f57d7404/frameset.htm ?

Why do you want to disable it? This makes your application less secure.

Kind regards,

Vlad

Show replies
Show replies
Former Member
‎11-01-2013 7:51 AM
0 Kudos

hi vladislav,

i have disabled because of the requirement and i want it to be disabled only inspite of the security issue.

I used the ~X-CSRF-TOKEN = 0 in the ICF Configuration of the service.

But it is not working.

Any help / guidance to resolve this would be much appreciated!

Best regards,

Jagruti

kammaje_cis
Active Contributor
‎11-01-2013 2:33 PM
0 Kudos

Are you sure about the name of the parameter?. It is not ~X-CSRF-TOKEN

I see that it has to be

  • Parameter Name: ~CHECK_CSRF_TOKEN
  • Parameter Value: 0/1 (disable/enable)

Thanks

Krishna

Former Member
‎11-06-2013 4:04 AM
0 Kudos

hi krishna,

I have disabled it using ~CHECK_CSRF_TOKEN = 0 parameter only.

But still rest client is throwing the same error "CSRF validation failed".

Best regards,

Jagruti

kammaje_cis
Active Contributor
‎11-06-2013 2:16 PM
0 Kudos

Hope you have identified your service right in SICF and disabled it.

former_member192050
Participant
‎09-08-2014 1:34 PM
0 Kudos

Hi Kishor,

Greetings of the day

1. i am not getting CSRF Token.

earlier i am able to get the token but all of sudden now it is not fetching (using both REST client in chrome and firefox)

i am using header as X-CSRF-Token = Fetch

please help me on this...

Thanks & regards

Sathish

AshwinDutt
Active Contributor
‎09-08-2014 3:52 PM
0 Kudos

Hello Sathish,

Please pass as below :

Header -> x-csrf-token

Value -> fetch

Use the URL which is used to get the metadata of ur service with the above headers & value to get the token.

U will get the token value in the response headers.

If at all u r not able to fetch it, please check ur service is getting fired at the very 1st place.

Go to ur GW system and check service is getting fired or not in /IWFND/APPS_LOG

Regards,

Ashwin

Ask a Question