I am implementing a 3rd party integration that uses basic auth (for now), fetches CSRF token and by using the received CSRF Token, I am making subsequent HTTP requests (REST). I am facing a peculiar issue. Let me write it simply:
- I fetch the CSRF token by putting the correct credentials and receive the token.
- I use it to make requests and decide to close the app.
- I reopen the app again and it prompts me to enter my credentials again (which it should)
- I type random (incorrect) credentials in the username and password fields and click on fetch.
- I still get the same token.
Now I am not able to understand how that is possible. How does the SAP session management work? I mean if I am able to get the CSRF token regardless of my basic credentials, how is it secure? Or am I missing something in the configuration of the service in SICF? Below are the standard settings of my service that I have not changed.
My question is: How am I able to get a CSRF Token (the same one which I received when I put the correct creds in the first try) whilst putting in incorrect creds? Also, no matter what the creds, if I do any action (for example: create a HU number via the application), my original username (the one that I used as a part of my correct creds) is recorded in the SAP system (table: VEKP).
Basically, I enter the app with incorrect creds and it seems like SAP thinks that I am the original user again (I don’t know via session-cookies or something) and then allows me to make subsequent requests.
Note: I am making an axios-get request from my application to the SAP server to get the CSRF token