Early Bird Registration for DrupalCon Portland 2024 is open! Register by 23:59 PST on 31 March 2024, to get $100 off your ticket.
By ygerasimov on
Change record status:
Published (View all published change records)
Project:
Introduced in branch:
7.x-3.x
Introduced in version:
3.4
Issue links:
Description:
As of SA https://drupal.org/node/2012982 Services has introduced another validation mechanism for non-safe REST calls (http method POST, PUT, DELETE) when session authentication is enabled.
Now in order to do POST requests Services expects a X-CSRF-Token header. The header should have a token that can be retrieved by using a GET request to 'services/session/token' URL.
Please check the test ServicesWebTestCase::addCSFRHeader() method for details.
Impacts:
Module developers
Comments
Please change the method name
Please change the method name to ServicesWebTestCase::addCSRFHeader()
CSRF Token acquisition issue with "Cookie" Request Header
The XMLHttpRequest issued to a services endpoint is required to have a request header with a name of "Cookie" and a value of "Session_Name"="Session_ID" which were received in the initial data object arrived upon successful login. To enable session authentication the "cookie" request header must be issued to the /services/token call.
This is problematic because webkit browsers will refuse to set a request header of cookie based on the W3 spec:
http://www.w3.org/TR/XMLHttpRequest/#the-setrequestheader()-method
Is there any way the request header the server authenticates could be named X-Cookie or the like to prevent this issue?
on safari mac token change every reload.
I became crazy! On Safari every time I reload http://mysite/services/session/token I obtain a different token.
Inside Chrome when I realod the token is always the same... :-\
thank you in advance.
A
> Header should have a token
> Header should have a token that can be retrieved by using GET request to 'services/session/token' URL.
Shouldn't the Services URL to retrieve a token be services/user/token not services/session/token ?