SAP REST API CSRF-Token cookie fails with POST method from mobile app

SAP REST API CSRF-Token cookie fails with POST method from mobile app



In my mobile app I am trying to save some data to SAP via REST API calls.

I am storing the CSRF token after the first FETCH command and also extracting the cookie values with MYSAPSSO2 field up to the domain field and pass that along in the header to every REST call.

In between GET method calls i am passing the token and cookie all the time between front and backend. If the token is issued more than 15 minutes ago i request a new FETCH and store it in local storage. If any response has set-cookie with MYSAPPSSO2 field i retrieve and update my cookie in local storage at the frontend.

My local storage only has 1 record containing the token, cookie and a timestamp when it was issued.

I am debugging these values and see that they are the latest from the responses.

However, i keep getting that the token is not valid when i do the POST method.

If i use a REST client like ARC, outside Service Studio, and do a GET method to get token and cookie, i paste the token and part of the cookie with aforementioned fields into ARC and can do the POST method successfully.

If i try this GET and POST directly in Service Studio in design time (test rest api window) to define the REST call it won't work, but if i got the token and cookie from ARC after a fetch and then directly try the POST in Service Studio design time, the REST call went well. 

What am i missing here? there something cached that Service Studio needs? Why does it works after ARC, but not directly inside Service Studio design time?

If i run my app and try to call the POST method to save data i get in my web browser console log following:

[2017-09-01T13:59:54.926Z]: 403 Forbidden
    at Object.a [as getException] (https:... )
    at XMLHttpRequest.y.onload (https:... )

If it's forbidden, why would the call work in design time Test after ARC was ran?

I am a noob with SAP, so i hope someone knows more about this matter. Thanks


We solved the token problem. When sending back the cookie we should also send the sap session id value that was passed back in the cookie from the FETCH command. We are able to save data back in SAP.