SAP Knowledge Base Article - Preview

2106251 - "CSRF token validation failed" with a Loadbalancer and SMP


  • SAP Mobile Platform (SMP) client application gets correctly the CSRF Token in an HTTP GET request with  X-CSRF-TOKEN: FETCH sent as a header
  • HTTP GET request is sent to via the loadbalancer with X-CSRF-TOKEN header multiple times and returns multiple X-CSRF-TOKEN values.
  • Issue is not reproducible if SMP is set to communicate with only one Netweaver gateway (without going via the loadbalancer).
  • Netweaver Gateway responds with an "HTTP 403 CSRF token validation failed" to an HTTP POST request with the latest X-CSRF-TOKEN returned from an HTTP GET Request. The response from the Netweaver gateway looks like the one below:

HTTP/1.1 403 Forbidden

content-type: text/plain; charset=utf-8

content-length: 28

x-csrf-token: Required

server: SAP NetWeaver Application Server / ABAP 731

CSRF token validation failed



  • Sybase Unwired Platform 2.2.x / SAP Mobile Platform 2.3.x-3.0.x
  • oData Application type
  • All Supported Mobile Operating Systems


Load Balancer third party , KBA , MOB-SUP-ODP , Sybase Unwired Platform Online Data Proxy , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.