Change record status: 
Project: 
Introduced in branch: 
7.x-3.x
Introduced in version: 
3.4
Description: 

As of SA https://drupal.org/node/2012982 Services has introduced another validation mechanism for non-safe REST calls (http method POST, PUT, DELETE) when session authentication is enabled.

Now in order to do POST requests Services expects a X-CSRF-Token header. The header should have a token that can be retrieved by using a GET request to 'services/session/token' URL.

Please check the test ServicesWebTestCase::addCSFRHeader() method for details.

Impacts: 
Module developers
Updates Done (doc team, etc.)
Online documentation: 
Not done
Theming guide: 
Not done
Module developer documentation: 
Not done
Examples project: 
Not done
Coder Review: 
Not done
Coder Upgrade: 
Not done
Other: 
Other updates done

Comments

dmitry.n’s picture

Please change the method name to ServicesWebTestCase::addCSRFHeader()

ashergwebb’s picture

The XMLHttpRequest issued to a services endpoint is required to have a request header with a name of "Cookie" and a value of "Session_Name"="Session_ID" which were received in the initial data object arrived upon successful login. To enable session authentication the "cookie" request header must be issued to the /services/token call.
This is problematic because webkit browsers will refuse to set a request header of cookie based on the W3 spec:
http://www.w3.org/TR/XMLHttpRequest/#the-setrequestheader()-method

Is there any way the request header the server authenticates could be named X-Cookie or the like to prevent this issue?

andreabenfatto’s picture

I became crazy! On Safari every time I reload http://mysite/services/session/token I obtain a different token.
Inside Chrome when I realod the token is always the same... :-\
thank you in advance.
A

monaw’s picture

> Header should have a token that can be retrieved by using GET request to 'services/session/token' URL.

Shouldn't the Services URL to retrieve a token be services/user/token not services/session/token ?