Along with the Session Token, the caller is issued an Anti-Forgery Token in the form of a cookie named XSRF-TOKEN. This token is unique per-session. To prevent Cross-Site Request Forgery (XSRF) attacks, the caller is required to pass the Anti-Forgery Token as both a cookie and a header (named X-XSRF-TOKEN) on all requests.
A typical Anti-Forgery Token cookie looks like:
Set-Cookie: XSRF-TOKEN=92qk8MOPcsBxXT6eVSwIIVG6SKr6lj7iOhKyMwXzfCRSvgNn4NqavHXbwswRq-MW6tHl-nVtELmZlnlF79GH_A; Max Age=1800; Domain=srv01.my.com; Path=/; Secure
Given this token, the caller should issue requests like the following:
GET https://srv01.my.com/cam/api/Tenants HTTP/1.1 Host: srv01.my.com Cookie: CamApiSessionId=tgqHpRA2H_ja7fwd3NBfuFXwTCEJ8kWVAbqMUehHpI4JYHkuJCQVll7YO3ld1PUO69PeQyAyRm4q1gOmXvFqsQ; XSRF-TOKEN=92qk8MOPcsBxXT6eVSwIIVG6SKr6lj7iOhKyMwXzfCRSvgNn4NqavHXbwswRq-MW6tHl-nVtELmZlnlF79GH_A X-XSRF-TOKEN: 92qk8MOPcsBxXT6eVSwIIVG6SKr6lj7iOhKyMwXzfCRSvgNn4NqavHXbwswRq-MW6tHl-nVtELmZlnlF79GH_A
If the caller omits the Anti-Forgery Token, or passes one which is incorrect, the API will respond with a 400 Bad Request error. The response content will state Missing or invalid CSRF Anti-Forgery Token.
Every time a request is made using a valid Anti-Forgery Token, the token’s life is extended. The response will include a new Set-Cookie header which reflects the refreshed cookie lifetime.