Highlighted
Respected Contributor.
Respected Contributor.
1718 views

XSRF-TOKEN correlation issue

Jump to solution

Hi,

I have some  Erreur -26628: Code d´état HTTP=403 (Forbidden) because of web_add_header (XSRF-TOKEN) correlation.

It works with some script, the new one are not working. I'm using the same automatic correlation. (It's the same method)

For the working script

Here the correlation parameter

/*Correlation comment - Do not change!  Original value='6d04e186-53db-45b2-9be0-b2e2ea5752b1' Name ='CorrelationParameter' Type ='ResponseBased'*/
    web_reg_save_param_regexp(
        "ParamName=CorrelationParameter",
        "RegExp=XSRF-TOKEN=(.*?);",
        "Ordinal=2",
        SEARCH_FILTERS,
        "Scope=Cookies",
        "IgnoreRedirections=No",
        LAST);

Request

POST /XXX/api/dossier/20180806-00061/cloture?version=0.1 HTTP/1.1
X-XSRF-TOKEN: 6d04e186-53db-45b2-9be0-b2e2ea5752b1
Accept: application/json, text/plain, */*
Content-Type: text/plain
Referer: https://XX.XXX.XXX.fr/XXX/
Accept-Language: fr-FR,en-US;q=0.5
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: XXX.XXXX.XXX.fr
Content-Length: 7
DNT: 1
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: XSRF-TOKEN=6d04e186-53db-45b2-9be0-b2e2ea5752b1; appz=eyJhbGciOiJIUzUxMiJ9.eyJqdGkiOiJhMzhhZmNiNS03OWYyLTRlZGQtOTFhMy0xZTYyYTgyZGVkMmUiLCJzdWIiOiJTRzA3NjkwUyIsImlhdCI6MTUzMzU0OTU0MCwiZXhwIjoxNTMzNTg1NTQwLCJmaXJzdE5hbWUiOiJTYWx2byIsImxhc3ROYW1lIjoiR0FOQ0kiLCJlbWFpbCI6InNhbHZhdG9yZS1leHRlcm5lLmdhbmNpQGVkZi5mciIsImF1dGhvcml0aWVzIjpbIkFETUlOIl0sImNhZENvZGVPcGVyYXRldXIiOiIxMDBDQUQxIiwiY2FkTGliZWxsZU9wZXJhdGV1ciI6Ik5vaXN5LWxlLUdyYW5kIn0.GN3oIiQLz3CEwD4B6qsCm45TicYlkmoYg7r1iBQhL15nkOG8sZ2a_0Z2mUDy92QJXZk3miHmRkLab3RlDvJUxg

Cloture

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options: DENY
Set-Cookie: XSRF-TOKEN=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/test; Secure
Set-Cookie: XSRF-TOKEN=6e850089-4dc0-484d-a80f-afd946d7ade3; Path=/test; Secure
enecad-version: 0.1
Access-Control-Allow-Headers: Authorization, x-xsrf-token, Access-Control-Allow-Headers, Origin, Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers
X-Application-Context: application
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Content-Encoding: gzip
Vary: Accept-Encoding
Date: Mon, 06 Aug 2018 09:59:18 GMT

{"dossierId":"20180806-00061","cadCode":"100CAD1","civiliteInterlocuteur":"","prenomInterlocuteur":"","nomInterlocuteur":"","telephoneInterlocuteur":"","mailInterlocuteur":"","categorieClient":"","type":"XXX","typePanne":"INDIVIDUEL","typeQualification":"INCIDENT","description":"Test","escalierEtEtageEtAppartement":"TEST","batiment":"test","numeroEtNomVoie":"RUE CHEMIN","lieuDit":"TEST","communeLibelle":"PARIS","codeInsee":"75101","codePostal":"75001","prmId":null,"typeCompteur":"","nbFilsCompteur":"","matriculeCompteur":"","tensionCompteur":"","intensiteCompteur":"","typeDisjoncteur":"","nbPoleDisjoncteur":"","intensiteDisjoncteur":"","plagesHeuresCreuse":"","puissanceSouscrite":"","codeTarif":"","nomTitulaire":"","prenomTitulaire":"","telephoneTitulaire":"","telephoneTitulaire2":"","etatDossier":"CLOS","dateCreation":"2018-08-06T09:50:15.123+0000","dateModification":"2018-08-06T09:59:18.745+0000","ouvrages":null,"flagEmail":false,"emailDestinataireTransmission":null,"nniOperateur":"TRE2020","nomOperateur":"TEST","prenomOperateur":"Mike","cadCodeOperateur":"100CAD1","cadLibelleOperateur":"Noisy-le-Grand","reportDossier":{"dateReport":null,"reportRaison":null,"description":null,"reporte":false,"nni":null,"dateReportDemande":null},"etat7DerniereErreur":null,"etat7AnnulationDerniereErreur":null,"note":null}

 

No working Script

Request

POST /XXXX/api/dossier?version=0.1 HTTP/1.1
Content-Type: application/json
Cache-Control: no-cache
Referer: https://XX.XXXX.XXX.fr/XXX/
X-XSRF-TOKEN: {CorrelationParameter}
DNT: 1
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows; Trident/6.0)
Accept-Encoding: gzip, deflate
Accept-Language: fr-FR,en-US;q=0.5
Accept: */*
Connection: Keep-Alive
Host: XXX.XXX.XXX.fr
Authorization: Basic U0cwNzY5MFM6RW5lQ0FEQDIwMTg=
Cookie: XSRF-TOKEN=fd2a54d6-0ee2-45c1-bb05-8fbeafdb79d5; XSRF-TOKEN=9ae44c3f-9994-403d-ac0c-168283685809; appz=eyJhbGciOiJIUzUxMiJ9.eyJqdGkiOiJmNDE3ZDMyYS1lOWU1LTQwMTUtOTBiNS03MWM4YjA0MDJlNzQiLCJzdWIiOiJTRzA3NjkwUyIsImlhdCI6MTUzMzY0MjM3NCwiZXhwIjoxNTMzNjc4Mzc0LCJmaXJzdE5hbWUiOiJTYWx2byIsImxhc3ROYW1lIjoiR0FOQ0kiLCJlbWFpbCI6InNhbHZhdG9yZS1leHRlcm5lLmdhbmNpQGVkZi5mciIsImF1dGhvcml0aWVzIjpbIkFETUlOIl0sImNhZENvZGVPcGVyYXRldXIiOiIxMDBDQUQxIiwiY2FkTGliZWxsZU9wZXJhdGV1ciI6Ik5vaXN5LWxlLUdyYW5kIn0.1EQ5Z1OW1r-h1V5Q2tGDrTAwD_-cqiNAZa-Kg75meLh_KR5gRwlSHVpqi2rUYIcMNpns1fb0ICSfwmb80cj2DA
Content-Length: 668

{"categorieClient":"","civiliteInterlocuteur":"","codeTarif":"","communeLibelle":"PARIS","codeInsee":"75108","codePostal":"75008","description":"","dossierId":"20180807-00065","intensiteCompteur":"","intensiteDisjoncteur":"","mailInterlocuteur":"","matriculeCompteur":"","nbFilsCompteur":"","nbPoleDisjoncteur":"","nomInterlocuteur":"","nomTitulaire":"","plagesHeuresCreuse":"","prenomInterlocuteur":"","prenomTitulaire":"","puissanceSouscrite":"","telephoneInterlocuteur":"","telephoneTitulaire":"","telephoneTitulaire2":"","tensionCompteur":"","typeCompteur":"","typeDisjoncteur":"","ouvrages":[],"flagEmail":false,"typeQualification":"Clienttest"}

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options: DENY
enecad-version: 0.1
Access-Control-Allow-Headers: Authorization, x-xsrf-token, Access-Control-Allow-Headers, Origin, Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Content-Encoding: gzip
Vary: Accept-Encoding
Date: Tue, 07 Aug 2018 11:46:14 GMT

{"code":"TOBEDEFINED01","type":"TECH","libelle":"Erreur inattendue","httpStatus":403,"descriptionTechnique":"Erreur inattendue"}

 

Thanks for your help!

Mike

0 Likes
1 Solution

Accepted Solutions
Highlighted
Valued Contributor.. Valued Contributor..
Valued Contributor..

Re: XSRF-TOKEN correlation issue

Jump to solution

Probably you are not capturing correct values for token. Try doing it manually and add web_Add_header above the request and check if that works. 

View solution in original post

0 Likes
2 Replies
Highlighted
Valued Contributor.. Valued Contributor..
Valued Contributor..

Re: XSRF-TOKEN correlation issue

Jump to solution

Probably you are not capturing correct values for token. Try doing it manually and add web_Add_header above the request and check if that works. 

View solution in original post

0 Likes
Highlighted
Frequent Contributor.
Frequent Contributor.

Re: XSRF-TOKEN correlation issue

Jump to solution
Hi,
XSRf token has expire time so it will generate another value once it got expired.
While login it will generate one token and thn it will be generating another value by another LB (by using previous token value).
Try to capture that value by using fiddler or developer tool, you will be getting refresh request & response, write custom code to refresh the token manually and pass the refresh code before 2nd correlation value.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.