Along with the Session Token, the caller is issued an Anti-Forgery Token in the form of a cookie named XSRF-TOKEN. This token is unique per-session. To prevent Cross-Site Request Forgery (XSRF) attacks, the caller is required to pass the Anti-Forgery Token as both a cookie and a header (named X-XSRF-TOKEN) on all requests.

A typical Anti-Forgery Token cookie looks like:

    Set-Cookie: XSRF-TOKEN=92qk8MOPcsBxXT6eVSwIIVG6SKr6lj7iOhKyMwXzfCRSvgNn4NqavHXbwswRq-MW6tHl-nVtELmZlnlF79GH_A; Max Age=1800; Domain=srv01.my.com; Path=/; Secure

Given this token, the caller should issue requests like the following:

    GET https://srv01.my.com/cam/api/Tenants HTTP/1.1
    Host: srv01.my.com
    Cookie: CamApiSessionId=tgqHpRA2H_ja7fwd3NBfuFXwTCEJ8kWVAbqMUehHpI4JYHkuJCQVll7YO3ld1PUO69PeQyAyRm4q1gOmXvFqsQ; XSRF-TOKEN=92qk8MOPcsBxXT6eVSwIIVG6SKr6lj7iOhKyMwXzfCRSvgNn4NqavHXbwswRq-MW6tHl-nVtELmZlnlF79GH_A
    X-XSRF-TOKEN: 92qk8MOPcsBxXT6eVSwIIVG6SKr6lj7iOhKyMwXzfCRSvgNn4NqavHXbwswRq-MW6tHl-nVtELmZlnlF79GH_A

If the caller omits the Anti-Forgery Token, or passes one which is incorrect, the API will respond with a 400 Bad Request error. The response content will state Missing or invalid CSRF Anti-Forgery Token.

Every time a request is made using a valid Anti-Forgery Token, the token’s life is extended. The response will include a new Set-Cookie header which reflects the refreshed cookie lifetime.