Hello Experts,
we published an ABAP Restful API (Release 19/09, unmanaged implementation, OData V2), which is consumed by an Azure Function.
In our architecture CSRF protection is not required and we would like to miminize the number of API calls. So we deactivated CSRF protection by setting the Gui configuration parameters in SICF and adding the X-Requested-With Header to our Post request. We thought this was enough to avoid having to send a GET request before each POST request.
Then we observed a funny behaviour: Post request that were send to the SAP system were converted into GET requests. The system changes the request_method header from POST to GET and processes it as GET request. The request was originally sent with a post method (we checked this several times)
It seems that this is related to the session cookies sent by the SAP system. Where these session cookies are fetched and included into the POST request, the this strange conversion doesn't happen. Sending a POST request without any session cookie causes it to be converted into a GET request.
So my questions are:
1. How can we expose an truly stateless ABAP Restfull API. Without CSRF protection AND without bothering our api consumers with any session coockies. A Post request should not require a predeceding GET request to fetch anything.
2. Could this be related to the selected Binding Type in the Service Binding (UI or Web API)? Is there a documentation that explained the impact of each setting in detail.
Thank you in advance and best regards,
Ben
- SAP Managed Tags:
| User | Count |
|---|---|
| 82 | |
| 11 | |
| 10 | |
| 8 | |
| 6 | |
| 6 | |
| 6 | |
| 6 | |
| 5 | |
| 5 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.