Technical Articles
CSRF Token Validation Failed in POST method in Gateway Client
Introduction:
With latest version of S/4 Hana, we get “CSRF Token Validation Failed” in Gateway client (T-code: /IWFND/GW_CLIENT). In previous version of S/4 Hana, this error were not raised when testing in Gateway client or API testing tool such as Postman. But, the latest version of S/4 Hana raises this error as it follows a stricter X-CSRF rule. Check out the note 2597429 for more information.
Issue Resolution:
- The Cookie has to be set along with X-CSRF-TOKEN in POST request header.
- Use Postman to test the API, as the length of the cookie may exceed 255 char. The maximum length of the module pool field is 255. Hence, we cannot set the cookie value properly in request header in Gateway Client. So, Postman is preferred.
Fetch CSRF Token and Cookie and Set in POST request:
To fetch the CSRF token, we will call a GET API. Either we can use the same OData API which we will use to push the data or we can have a separate API which can be used centrally to fetch the CSRF token and cookie.
To fetch the CSRF token, please maintain the header parameter of request as below as below. After that please click on “save”.
(Header parameter in request to fetch CSRF Token)
Once we click on the “Send” button, we will get the response as below. We can see status is “200”, which means the call is success. We can see the CSRF token and cookie has been retrieved.
(Response from GET API)
We can see CSRF token and Cookie has been retrieve. We can see 2 entries for the cookie. So, both the value has to be concatenate with semicolon “;” as separator.
Provide the CSRF token and Cookie been retrieve in previous step in post method.
We can see the data is posted successfully.
Conclusion:
We saw how we can fetch the CSRF token and Cookie using a GET request and how to set those in the POST request. Doing so, the issues with CSRF token will be resolved.
Please follow the blog post to see how the fetching and setting of CSRF token and cookie can be automated in Postman.
Awesome.. Worked for us ..
Hi Shweta, nice to hear it helped you.
Thanks,
Gourab
Unfortunately this didn't work for me.
Also tried disabling the CSRF Token check as described in https://apps.support.sap.com/sap/support/knowledge/preview/en/2597429
But this didn't help either.
Any Ideas what else i could be missing?
Thanks in advance
Hello
where do i get the ZGEN_TOKEN_SRV service from ?
Hi Gourab,
I am getting only one cookie and when passed still facing error.
BR, Mahesh R.
I was able to fix it by getting all the cookies with below syntax and passing it on to POST Request
Hi together,
Is there a way of still using GW_CLIENT and not disabling the csrf-checks for all requests (independend from the source GW_CLIENT or call from outside the system)?
For debugging reasons I really like the /IWFND/ERROR_LOG and the "replay" via GW_CLIENT, don't want to miss this feature after upgrading to S/4 Hana 2021.
Regards Hendrik