关于OData modifying请求需要事先提供CSRF token 的讨论

I have made some search in the internet and it seems the CSRF token mechanism is not just applied to OData, but a generic approach to prevent exposed HTTP resources from CSRF attack, for example the idea is also applied in the good-old ASP MVC application which has nothing to do with OData.

https://docs.microsoft.com/en-us/aspnet/web-api/overview/security/preventing-cross-site-request-forgery-csrf-attacks

https://issues.oasis-open.org/browse/ODATA-262

In SAP implementation, the CSRF token is generated and maintained in so called “security context” managed by ABAP Netweaver：

clipboard1

clipboard2

First the current session ID is retrieved by function TH_GET_SECURITY_CONTEXT_REF: 04D8A63F901811E9ABAD02000A212071

clipboard3

Then the associated context is retrieved by this session ID via cl_http_security_session_admin=>get_associated_contexts. The token is one part of context.

clipboard4

In this aspect our OData is not stateless, I agree with you. It’s disappointing that we have to explicitly request token in our nodejs/java/ABAP program, however in UI5 aspect, the UI developer needn’t to handle with it manually：

clipboard5

https://openui5.hana.ondemand.com/#/api/sap.ui.model.odata.ODataModel/methods/getSecurityToken

clipboard6