The aim of this Blog is to explain how CSRF token protection works in SAP Gateway and how should developers implement it.
The ideal flow is like the following:
- The client application sends a GET request with header X-CSRF-TOKEN: Fetch (this is usually sent in the $metadata or in a simple service document request).
- The server then responds with 200 OK and response header: X-CSRF-TOKEN: <tokenValue> and one or more Set-Cookie headers (not highlighted below) 这里是重点
- The client has to store this token and all the cookies in the Set-Cookie response header (the cookie here identifies the HTTP session) and send in every modification request* throughout its session. When the session renews the CSRF token has to be renewed as well, by requesting a token again.
*A modification request, is a non-GET request like POST, PUT, PATCH, MERGE, DELETE (CUD). Note, that $batch requests are always sent with POST method. - The server will check this token and the session ID cookie(s) and if they’re valid and matching, it’ll process the request. If at least one of them is invalid or expired then the server will respond with 403 Forbidden, with response header: X-CSRF-TOKEN: Required, with response body: “CSRF Token required”
- The client has to automatically send a new GET request with X-CSRF-TOKEN: Fetch and retrieve the new token from the response header.