Download restws-7.x-2.0-alpha4.tar.gztar.gz 31.1 KB
MD5: 10f192640bae085ce9493787d4cf4f3a
SHA-1: 169007de74dcdf1b2c859e4b42d7da782f9e46ff
SHA-256: 6b2189d2e5d411310807b1666ae2fc5d432b5002b86b1048d4a256135c0a8dd4
Download restws-7.x-2.0-alpha4.zipzip 40.38 KB
MD5: 077b3ad4693efaba92e8d236d67a16a9
SHA-1: faaadf8107049e26ae3aa5a9e956a5f54776b1b9
SHA-256: e9b3a88930a7c6d608443469695f4be7ccf754307b7db6d3458991dea39d18ad

Release info

Created by: klausi
Created on: 16 Jan 2013 at 14:40 UTC
Last updated: 16 Jan 2013 at 22:08 UTC
Core compatibility: 7.x
Release type: Security update

Release notes

See also SA-CONTRIB-2013-003

This release comes with a major API change for clients. A security token has been introduced to guard against CSRF attacks. This change only affects you if

* your client uses cookie-based user authentication and
* your client performs write operations (POST, PUT or DELETE).

Clients that only read data (GET requests) still work the same. Clients that use other authentication mechanisms (like restws_basic_auth) remain unaffected as well.

In order to still write to your Drupal installation those cookie-using clients need to add an X-CSRF-Token header to their HTTP requests. The token can be retrieved from (replace the URL with your site accordingly). You can also generate the token yourself and deliver it with JavaScript settings on the HTML page if you are calling back to the web service interface from JavaScript. That avoids an additional HTTP request just to get the token:

drupal_add_js(array('restws_csrf_token' => drupal_get_token('restws')), 'setting');

An example for the usage of the X-CSRF-Token header with PHP's cURL can be found in the Simpletests.

Changes since 7.x-2.0-alpha3:

  • Introduced a session token for write operations from cookie-based clients.
  • #1878064 by whurleyf1: Added alter hook for response.


The selected release is the release that will be used for automated testing. Optional projects are only used for testing.



No optional projects