Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Chrome, localhost and CSRF

janschober
Participant
‎01-10-2014 8:34 AM

Hi all,

I'd like to share some experience, building and debugging SAP UI5 Apps against SMP and finally hitting an SAP Netweaver Gateway.

I really like Google's Chrome browser for debugging HTML5 apps as it comes with the nice JavaScript Console giving you all kinds of information during runtime.


So I was building an app using AppBuilder which would create a SalesOrder in the Gateway System.

As we all know, to do modifying requests (like a creation) it is required to overcome the Cross-Site Request Forgery Protection, so we have to fetch an X-CSRF-TOKEN and send it along with the modifiying request.

As some might not know, with Netweaver Gateway you also receive and have to provide a cookie called sap-XSRF_<SID>_<client> (for more information see help.sap.com).

As mentioned before, I worked with AppBuilder with a development SMP server, running on the same box. AppBuilder obviously running in Google Chrome to be able to debug. So what happened was, whenever I tried POSTing the SalesOrder I received an "CSRF Token validation failed" error - although I had fetched it before and I could even see the token as well as the cookie being received in the debugger. Strangely enough the token arrived at Gateway - I could see that in the trace - but the cookie never did.

At first I thought SMP might be tempering with the cookie being kind of the hop in the middle. But further debugging proved it was not the case, the cookie actually never arrived at SMP either.

So it had to be the UI5 app, I thought. But suspecting the UI5 framework or my coding also proved wrong, as I was successfully able to do the POST when hitting the Gateway directly.

Finally, there was one piece left in the equation, which is Chrome itself providing the runtime for my app. After some research, I found this nice little thread on the Internet, basically saying "You can only set domain cookies for registry controlled domains, i.e. something ending in .com or so, but not IPs or intranet hostnames like localhost"

It suddenly dawned on me: AppBuilder and SMP were running on the same box, so I had used localhost for configuring the connection between AppBuilder and SMP!

I changed that to its full qualified domain name - et voilà SalesOrder creation worked!

Bottom line: Don't use localhost or IP addresses as a link if you are working in Chrome - you might experience some strange behavior!

PS: If your development machine doesn't have a full qualified domain name, just add a line in your hosts-file, saying something like 127.0.0.1 mymachine.mydomain.xyz and use that as your hostname.

1 Comment
Labels in this area
Popular Blog Posts