Drupal 7 Services 3 Session Authentication with CSRF Token

I really had a bad hour figuring out how Drupal services.module (Version 3.x) session authentication works. The documentation is poor and there are several issues stating out problems.

Finally I was able to find a way out of the Service REST jungle and I'd like to share the results with you (and myself for the future) if we should ever run into the same problems again.

The following steps are required:

Module configuration

Enable services.module
Select REST server on admin/structure/services/list/app_api
Set the endpoint path (here "services/ep/rest") on admin/structure/services/list/app_api
Activate Session authentication on admin/structure/services/list/app_api

1. Request CSRF Token

  • Make a POST (!!!) call to https://www.example.com/services/session/token (This path is always the same (!!) however you define the endpoint path!
  • Save the response body into a variable. That's the CSRF token. For example "PO6WaREZaDfKVEpZ2X3a90Nyyt6xUdQ06JaBJiYxgI6"

2. Request login

  • Make a POST (!!!) call to https://www.example.com/services/ep/rest/user-service/login.json (where services/ep/rest is your configured endpoint path and user-service is your custom user service path (default would be just "user"))
  • Set the following headers for that POST:
    • Key: "Content-Type", Value: "application/json" (you may use a different type but ensure an appropriate is set, otherwise it will NOT work!)
  • Set your login credentials as body: We're using JSON here, you may also use a different format: {"username":"exampleuser",

That's it! If your credentials are correct you will now receive a JSON result for the user properties.

I used the "restclient" Firefox plugin for my tests: https://addons.mozilla.org/de/firefox/addon/restclient/

token-request.jpg124.9 KB
login-request.jpg166.44 KB


Kommentar hinzufügen

Der Inhalt dieses Feldes wird nicht öffentlich zugänglich angezeigt.

Weitere Informationen über Formatierungsoptionen