Unsolved
This post is more than 5 years old
1 Rookie
•
62 Posts
4
5395
API Auth Changes with Recent Security Patches (anti-CSRF token)
I'm posting this to help anyone using the API and sessioncookie tokens for scripts, so you don't bang you head against the wall like I did wondering what happened. I did read the patch README and made a mental note of the IMPACTS section concerning anti-CSRF tokens and custom API work, but the note ended up getting lost in the filing cabinet. For OneFS v8.0.0.4, this concerns patch-211980, but it will affect the other versions with their similar patches as well.
Once a month I run a Perl script against the Isilon to gather basic metrics on storage use by various areas/departments and email to management. I am using Session Cookies for authentication (docu66301 - Isilon OneFS version 8.0.0 API Reference starting on page 17). It gave an "ERROR authorization required" this month. As noted in the README, I needed to take a look at https://support.emc.com/kb/517421 which describes the new requirement for a custom header (X-CSRF-Token) and a referer of the node you are running against.
In Perl I'm using the REST::Client module, so after isolating the new token, I had to add the following two headers to my calls:
$client->addHeader('X-CSRF-Token', $isicsrf);
$client->addHeader('Referer', $host);
I kept the session cookie token as a "cookie" (this didn't change):
$client->GET($cluster_stats . "?key=" . $key_ibt,{ 'Cookie'=>$isisessid });
Something to watch for:
The session cookie token is expected (or accepted) in format 'isisessid=biglongtokkenvalue' while the anti-CSRF token is required to be just the 'biglongtokenvalue' (you have to strip off the 'isicrsf=' part before assigning it to the custom header X-CSRF-Token).
I hope this helps someone.
Tim681
1 Message
2
June 6th, 2018 10:00
Thanks. This was huge for me as I was trying to write some .Net code and I kept getting '401' error messages when trying to do a GET on "session/1/session" using my cookie session. I didn't have access to any of the README notes - just the API documentation online. Initially testing on a VM things worked fine, but when switching to our production Isilon, that's when I started getting the authorization errors. I was always wondering when creating the cookie for the very first time what the 'isicsrf' value was for. It wasn't mentioned in the API documentation so I just ignored it.
For any others that may need a start, here is what I used to get session info (GET "session/1/session") about my current cookie.
CookieID - the value of 'isisessid=xxxxxx' from the cookie
CookieCSRF - the value of 'yyyyyy' from the cookie with the 'isicsrf=' removed
isilonUrl - the address of your isilon - 'https://1.1.1.1:8080'
using (var client = new HttpClient(new HttpClientHandler { UseCookies = false }))
{
client.DefaultRequestHeaders.Add("Cookie", CookieID);
client.DefaultRequestHeaders.Add("X-CSRF-Token", CookieCSRF);
client.DefaultRequestHeaders.Add("Referer", isilonUrl);
var response = await client.GetAsync(
isilonUrl + "/session/1/session");
response.EnsureSuccessStatusCode();
//get the session information
var body = await response.Content.ReadAsStringAsync();
}
apalomet
1 Message
0
May 25th, 2023 13:00
This helped me a lot. Thanks.
For the ones using curl, to get the Cookie is like this one below:
From your response you get the cookie data to be used for consequent curls. Like this below for instance: (values are examples, not my actual ones).