Release info

Created by: klausi
Created on: January 16, 2013 - 14:38
Last updated: January 16, 2013 - 22:08
Core compatibility: 7.x
Release type: Security update

Release notes

See also SA-CONTRIB-2013-003

This release comes with a major API change for clients. A security token has been introduced to guard against CSRF attacks. This change only affects you if

* your client uses cookie-based user authentication and
* your client performs write operations (POST, PUT or DELETE).

Clients that only read data (GET requests) still work the same. Clients that use other authentication mechanisms (like restws_basic_auth) remain unaffected as well.

In order to still write to your Drupal installation those cookie-using clients need to add an X-CSRF-Token header to their HTTP requests. The token can be retrieved from http://example.com/restws/session/token (replace the URL with your site accordingly). You can also generate the token yourself and deliver it with JavaScript settings on the HTML page if you are calling back to the web service interface from JavaScript. That avoids an additional HTTP request just to get the token:

<?php
drupal_add_js(array('restws_csrf_token' => drupal_get_token('restws')), 'setting');
?>

An example for the usage of the X-CSRF-Token header with PHP's cURL can be found in the Simpletests.