In this how-to topic, I want to explain how to call an OData service in SAP Hybris Marketing Cloud in a way that ensures a high degree of system security and performance. I am using CUAN_IMPORT_SRV as an example, but this description applies to all OData services in SAP Hybris Marketing Cloud.
Steps to Import Data into the SAP Hybris Marketing Cloud System:
- Request a CSRF token and session cookie by calling the metadata document.
In the get request header, you have to add the parameter name ‘x-csrf-token’ and the value ‘Fetch’, as shown in the code snippet. With this get request, you will receive the CSRF token and session cookie in the response:
- Create your payload with the data you want to send.
- Post the data via the corresponding endpoint and send the CSRF token as well as the session cookie which you received in the first step. In the post request, you have to add:
- The parameter ‘x-csrf-token’, that is the value from the token you received in step 1.
- The parameter ‘Content-type’ with the value ‘application/json’
- And the session cookie you received from the get metadata request
- e.g. https://<mkt.com>/sap.opu.odata/sap/cuan_import_srv/ImportHeaders
- At the end you should terminate the session cookie by calling the logoff service. In this get request you have to add
- The parameter ‘x-csrf-token’ and the value you received in step 1.
- The session cookie you received from the get metadata request. By doing this, you ensure that the session cookie and CSRF token are no longer valid.
Note: Steps 1 and 4 are only called once, while steps 2 and 3 should be executed in a loop without fetching a new CSRF token and session cookie each time.
Important Points to Note:
- The session cookie will automatically terminate after 30 minutes idle time.
- You should reuse the session cookie and CSRF token for as long as you can. In other words, you should try to avoid exceeding 30 minutes idle time.
- By reusing the session cookie, you avoid having additional calls to generate a new cookie every time. This leads to improved performance because you have to execute the get call only once, at the beginning of your program
By terminating the session cookie, you secure the system, because the cookie and CSRF token can no longer be used.
Code snippets from ABAP SE38 Program
Open the session:
Use the session:
Close the session: