Invalid CRF ,on attempt to Create a Subject via Rest API
mozzy mutesa
Herrick, Rick
The issue is the user-agent header in the request:
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.106 Safari/537.36
XNAT checks requests and, if a request comes from an “interactive agent”–i.e. a browser or something similar–it tests that the CSRF token matches the token stored in the user’s login session. This is to prevent cross-site request forgeries by malicious scripts embedded in the browser or other sites or whatever. If the request does not come from an interactive agent–e.g. curl, httpie, or other command-line tools–XNAT doesn’t check for the CSRF token.
In your case, this request appears to XNAT to be coming from an interactive agent, specifically Chrome v80 on Windows 10, so it’s checking the CSRF token, not finding it, and letting you know.
There are three ways to solve this:
- Change how you’re making that query to use a different user agent. If you use a command-line tool like curl or httpie, these already have different values for the user-agent header that won’t be considered as interactive agents. Httpie has the value “HTTPie/2.0.0”, so those requests don’t require the CSRF token. This is pretty easy to do in PostMan, so you can set something like “PostMan” as the user-agent header value.
- Change the interactive agent IDs setting under Administer->Site Administration->Security->User Logins/Session Controls->Interactive Agent IDs. The default value for this is “.*MSIE.*,.*Mozilla.*,.*AppleWebKit.*,.*Opera.*”. It’s the “.*Mozilla.*” and “.*AppleWebKit.*” patterns that you’re matching. You probably don’t want to do this if your XNAT instance is accessible by anyone other than yourself, as removing Mozilla and AppleWebKit from the agent specifications leave you open to CSRF attacks from a wide variety of browsers.
- Add the CSRF token to your request. You can get the current value from the source of one of the XNAT pages in your browser (look for “var csrfToken = 'xxx'”) or one of the referenced calls from an XNAT page (look for XNAT_CSRF=xxx on the request URL) and add that to the URL you’re calling, so your request below becomes http://41.220.3.47/data/archive/projects/Test/subjects/1000?XNAT_CSRF=xxx.
HTH
--
Rick Herrick
Sr. Programmer/Analyst
Neuroinformatics Research Group
Washington University School of Medicine
Phone: +1 (314) 273-1645
--
You received this message because you are subscribed to the Google Groups "xnat_discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
xnat_discussi...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/xnat_discussion/e0c7e428-06ff-4f29-86ae-d6678a0c757e%40googlegroups.com.
The materials in this message are private and may contain Protected Healthcare Information or other information of a sensitive nature. If you are not the intended recipient, be advised that any unauthorized use, disclosure, copying or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error, please immediately notify the sender via telephone or return mail.
