CSRF Token Validation Failed in POST method in Gat...

gdey_geminius · ‎11-04-2021

Introduction:

With latest version of S/4 Hana, we get "CSRF Token Validation Failed" in Gateway client (T-code: /IWFND/GW_CLIENT). In previous version of S/4 Hana, this error were not raised when testing in Gateway client or API testing tool such as Postman. But, the latest version of S/4 Hana raises this error as it follows a stricter X-CSRF rule. Check out the note 2597429 for more information.

Issue Resolution:

The Cookie has to be set along with X-CSRF-TOKEN in POST request header.

Use Postman to test the API, as the length of the cookie may exceed 255 char. The maximum length of the module pool field is 255. Hence, we cannot set the cookie value properly in request header in Gateway Client. So, Postman is preferred.

Fetch CSRF Token and Cookie and Set in POST request:

To fetch the CSRF token, we will call a GET API. Either we can use the same OData API which we will use to push the data or we can have a separate API which can be used centrally to fetch the CSRF token and cookie.

To fetch the CSRF token, please maintain the header parameter of request as below as below. After that please click on “save”.

(Header parameter in request to fetch CSRF Token)

Once we click on the “Send” button, we will get the response as below. We can see status is “200”, which means the call is success. We can see the CSRF token and cookie has been retrieved.

(Response from GET API)

We can see CSRF token and Cookie has been retrieve. We can see 2 entries for the cookie. So, both the value has to be concatenate with semicolon ";" as separator.

Provide the CSRF token and Cookie been retrieve in previous step in post method.

We can see the data is posted successfully.

Conclusion:

We saw how we can fetch the CSRF token and Cookie using a GET request and how to set those in the POST request. Doing so, the issues with CSRF token will be resolved.

Please follow the blog post to see how the fetching and setting of CSRF token and cookie can be automated in Postman.

shwetajainhere · ‎11-24-2021

Awesome.. Worked for us ..

knzonji · ‎12-02-2021

Unfortunately this didn't work for me.
Also tried disabling the CSRF Token check as described in https://apps.support.sap.com/sap/support/knowledge/preview/en/2597429

But this didn't help either.
Any Ideas what else i could be missing?

Thanks in advance

gdey_geminius · ‎04-05-2022

Hi Shweta, nice to hear it helped you.

Thanks,
Gourab

former_member154530 · ‎03-08-2023

Hello

where do i get the ZGEN_TOKEN_SRV service from ?

former_member127349 · ‎05-10-2023

Hi Gourab,

I am getting only one cookie and when passed still facing error.

BR, Mahesh R.

2emailmahesh86 · ‎05-16-2023

I was able to fix it by getting all the cookies with below syntax and passing it on to POST Request

*** Get Cookies from Get call



  METHOD if_web_http_response~get_cookies.

    mo_response->get_cookies(

      CHANGING

        cookies = r_value

    ).



    check_error( ).

  ENDMETHOD.



*** Loop and set all the cookies to the POST Request



          LOOP AT lt_cookies ASSIGNING FIELD-SYMBOL(<cookie>).



            lo_request->set_cookie( i_name = <cookie>-name

                       i_path = <cookie>-path

                       i_value = <cookie>-value

                       i_domain = <cookie>-domain

                       i_expires = <cookie>-expires

                       i_secure = <cookie>-secure  ).



          ENDLOOP.



<<< Below Just FYI >>>

  METHOD if_web_http_request~set_cookie.

    mo_request->set_cookie(

      EXPORTING

        name    = i_name

        path    = i_path

        value   = i_value

        domain  = i_domain

        expires = i_expires

        secure  = i_secure

    ).



    r_value = me.



    check_error( ).

  ENDMETHOD.

hendrik_l · ‎05-17-2023

Hi together,

Is there a way of still using GW_CLIENT and not disabling the csrf-checks for all requests (independend from the source GW_CLIENT or call from outside the system)?

For debugging reasons I really like the /IWFND/ERROR_LOG and the "replay" via GW_CLIENT, don't want to miss this feature after upgrading to S/4 Hana 2021.

Regards Hendrik

Jelena · ‎02-13-2024

Thanks for sharing this! I know it's an old post but I stumbled upon this when googling the infamous CSRF token error message.

I've used the "get token by GET, then use in POST" method before and it worked fine. It was unpleasant surprise when it suddenly didn't work and the error message was the same about invalid token. Well, turns out token was valid but I was missing the cookie part. Would be helpful if error message was more accurate. But thankfully, Community to the rescue! 🙂

Note: I didn't need to concatenate cookies. There were 3 of them in my case and with some trial and error I found that I only needed to include the last one. So if that's the case for someone, try different cookie value variations. I'd be curious to understand more about this, right now it's just I made it work but don't understand why it didn't work before and why what I did solved it. Hm.

I'm not sure what was the latest S/4HANA version when this was written. I worked with 2020 version before and just recently got access to 2022 one. It says SAP made a change at some point. I believe it's true but have not found any evidence or details of what and when was changed. The SAP note mentioned here is very old, from 2018. It doesn't have any helpful information at this time.

Thanks again!