Lately, I was struggling with correct handling of this token. Since I found some misleading content here in community network, I would like to share with my findings.

What is CSRF, why do we use CSRF token and how long it is valid

CSRF (Cross-site request forgery) is type of attack, when attacker tries to send malicious requests from a website that user visits to another site where the victim is authenticated. Prevention from this attack is based on keeping security token during user’s session and providing it with every modify operation (PUT, POST, DELETE). If the provided token is not correct, gateway responds with HTTP 403 (“Forbidden”) return code. [1, 2]

The validity depends on your settings and SAP_BASIS release. In my case, I found out that the validity of token is set to 30 minutes.

The validity of the CSRF token depends on the release of the ABAP component SAP_BASIS and on the activation of the security session management (which is controlled via the transaction SICF_SESSIONS on the granularity of SAP clients):

1. Release < 7.03/7.31 or the security session management is inactive: An own CSRF cookie gets generated (sap-XSRF_<SystemID>_<SAPClient>) and this CSRF token remains valid for 24 hours (86400 seconds).

2. Release >= 7.03/7.31, the validity is bound to the security session, which depends on the system parameter http/security_session_timeout value (see transaction RZ11 for details on this parameter). By default, the security session management is active in these releases.” [3]

When you do not provide fresh security token with modify request, the user can end up with 403 error message and his recent entry in some form will be most likely lost. There are different ways how the token is handled.

1st issue – You are using ODataModel for modify operations and not calling refreshSecurityToken() method before them

You should be safe anyway. ODataModel has a parameter called bTokenHandling that takes care about token handling. I did not find information when openui5 started to support this functionality, but you can check it in debugger that after creating ODataModel instance, bTokenHandling is set to true by default.

So the outcome of this finding is that you do not need to use method refreshSecurityToken() unless you turn off bTokenHandling or you want to implement some special fuctionallity when refresh fails.

2nd issue – You are using datajs library and OData.request for your modify operations

There are several blog posts in SCN using this library. You should fetch CSRF token before every modify operation, if you want to prevent your user to see HTTP 403 response.

3rd issue – You are using external REST client for testing modify operation

If you do not provide the token, you will receive 403 HTTP Forbidden response with following message “CSRF token validation failed”.

In this case, you need to first fetch CSRF token, adding header parameter X-CSRF-Token : Fetch, read its content from response parameter x-csrf-token and add it manually to header of your testing modify request.

csrf1.JPGcsrf2.JPG

4th issue – You are sending files to SAP Gateway using sap.ui.commons.FileUploader and you are getting 403 HTTP response – CSRF token validation failed

Unfortunately, there is no link between fileuploader and ODataModel, so fileuploader needs to handle token validation by itself. Same logic applies here as the previous issue. Unfortunately (again), there is no way how to set http header parameter for fileuploader, so you need to redefine it by yourself and change the logic as it is described in this post Re: FileUploader and X-CSRF-Token?.

Looking forward to your feedback, let me know if some of my assumptions are not correct.

References

[1] Cross-site request forgery – Wikipedia, the free encyclopedia

[2] https://help.sap.com/saphelp_nw74/helpdata/en/b3/5c22518bc72214e10000000a44176d/content.htm

[3] CSRF Protection – Connectivity – SAP Library

To report this post you need to login first.

3 Comments

You must be Logged on to comment or reply to a post.

  1. Sean Stockemer

    Hi Peter,

    Thanks for the blog, it helped when we were developing our front-end odata calls.

    We’ve got no problem with getting and maintaining our csrf token, but my question is kinda related to this topic.

    How can we ‘invalidate’ our token for test purposes? I’m testing the redirect @ an invalid token. I’ve deleted the browser cookie for my site, and I get redirected at the next page refresh because the token is no longer valid. However, I’m not entirely sure that this simulates a token expiring. The system parameter is set to the default (30 minutes) for NW7.40…and I’d like to leave it at that, but to simulate the csrf token expiring, do I really have to wait and remain inactive for an entire half hour?

    Many thanks,

    Sean

    (0) 
  2. Alex Liao

    Hi Peter,

    I tried the header property x-csrf-token, however, I found a new token is generated when I do post request then the two tokens are different.

    Finally, I retrieve the cookies from GET request, and set it to POST request, it runs OK.

    For your reference.

    (0) 
    1. Niroop Radhakrishnan

      Hi Alex,

      I am using Python to call odata service. I am retrieving cookie and  x-csrf-token from the GET request and set them to POST request as below. Still I am getting 403 error in return. Please help.

      headers = {“set-cookie”: r.headers.get(“set-cookie”), “X-CSRF-Token”: r.headers.get(“X-CSRF-Token”)}
      s = requests.post(url, data=json.dumps(payload),headers=headers, auth=auth)

      Regards,

      Niroop

      (0) 

Leave a Reply