Drupal 7 Services 3 Session Authentication with CSRF Token

I really had a bad hour figuring out how Drupal ‎Services‎ (Version 3.x) session authentication works. The documentation is poor and there are several issues stating out problems.

Finally I was able to find a way out of the Service REST jungle and I'd like to share the results with you (and myself for the future) if we should ever run into the same problems again.

The following steps are required:

Module configuration

Enable ‎Services
Select REST server on admin/structure/services/list/app_api
Set the endpoint path (here "services/ep/rest") on admin/structure/services/list/app_api
Activate Session authentication on admin/structure/services/list/app_api

1. Request CSRF Token

  • Make a POST (!!!) call to https://www.example.com/services/session/token (This path is always the same (!!) however you define the endpoint path!
  • Save the response body into a variable. That's the CSRF token. For example "PO6WaREZaDfKVEpZ2X3a90Nyyt6xUdQ06JaBJiYxgI6"

2. Request login

  • Make a POST (!!!) call to https://www.example.com/services/ep/rest/user-service/login.json (where services/ep/rest is your configured endpoint path and user-service is your custom user service path (default would be just "user"))
  • Set the following headers for that POST:
    • Key: "Content-Type", Value: "application/json" (you may use a different type but ensure an appropriate is set, otherwise it will NOT work!)
  • Set your login credentials as body: We're using JSON here, you may also use a different format: {"username":"exampleuser",

That's it! If your credentials are correct you will now receive a JSON result for the user properties.

I used the "restclient" Firefox plugin for my tests: https://addons.mozilla.org/de/firefox/addon/restclient/

token-request.jpg124.9 KB
login-request.jpg166.44 KB


Post new comment

The content of this field is kept private and will not be shown publicly. If you have a Gravatar account associated with the e-mail address you provide, it will be used to display your avatar.

More information about formatting options

Refresh Type the characters you see in this picture. Type the characters you see in the picture; if you can't read them, submit the form and a new image will be generated. Not case sensitive.  Switch to audio verification.