FAQ’s on security session restriction for ODATA calls

This document contains FAQs with respect to the change done all OData APIs to optimize security session handling thereby helping the stability and performance. To know more about the change, refer to https://launchpad.support.sap.com/#/notes/3339155

1. Does this change impacts the integrations which use x-csrf-token that is sent in the request header.

Yes. Only if the integration has any checks or coding done using specific cookie name.

2. Does the change impacts only the OData integrations which use the business user for authentication? 

Both, business user and technical users are impacted. For technical users CSRF token is not mandatory.

3. How to send all cookies to C4C within the given integration flow? 

Please check with the Cloud Platform Integration (CPI) team on sending all cookies.

4. When is the change deployed?

Change will be deployed with 2308 HFC02 to only customer test tenants. Customer/Partner need to adopt changes(Refer KBA: https://launchpad.support.sap.com/#/notes/3339155) and test with the test tenant. With 2311 it will be available in production tenant.

5. Do we need to do anything in CPI or C4C after 2308 release? If so, what is this process? Can you give step-by-step information?

• Fix will be available with 2308 HFC02 in customer test tenants only.


• If your integrations are failing, please check if you have coded using specific cookie name.


• If so, it needs to be removed. There should not be any coding/checks done on cookie names.


• All cookies received in response need to be sent back in subsequent OData calls.


• Test the changes in test tenant to confirm on its working.

6. Can you please confirm the changes would not affect any of the IBSO developments or Integrations from SAP IBSO solution?

If your integration is not based on specific cookie name i.e., checking or coding based on cookies it should not have any impact.

7. Do we need to do any changes in C4C SDK side? If yes, please elaborate?

If you have coded in SDK based on cookie name i.e., checking specific cookies in the code then it should be removed. Rather without any filters all cookies returned by the server has to be sent back in the subsequent OData calls. Refer KBA https://launchpad.support.sap.com/#/notes/3339155

8. Have an integration from external system to C4C using CPI as a middleware. Does this change impact integration?

Please check your integration (iFlows) has checks or coding based on specific cookie. If not, then it should not have any impact. If yes, then needs to be corrected and tested with 2308 HFC02 in test tenants.

9. By using the Build OData Queries option for Data sources and reports to visualize the reports in Power BI. The mail states that the integration scenarios of ODATA API’s are being changed. Can you please let us know if the Build OData Queries option also will be affected by this or there won’t be any changes required for that?

Ideally there should not be any impact until and unless your integration has checks or coding based on specific cookie name. Please check and adopt the changes and test in the test system after 2308 HFC02. Refer KBA. https://launchpad.support.sap.com/#/notes/3339155

10. As per our checks both SAP delivered OData Services and custom OData Services in ByD/C4C. However, we are not sure if we need any setting change for both Custom OData Service and SAP delivered OData Service. Please clarify if any change required on client side?

No changes are required to be done for custom OData services. Please check if your client consuming OData services has checks or coding based on specific cookie. If yes, needs to remove that. Also in the subsequent OData calls, send all the cookies back.