SAP Knowledge Base Article - Preview

2106251 - "CSRF token validation failed" with a Loadbalancer and SMP


  • SAP Mobile Platform (SMP) client application gets correctly the CSRF Token in an HTTP GET request with  X-CSRF-TOKEN: FETCH sent as a header
  • HTTP GET request is sent to via the loadbalancer with X-CSRF-TOKEN header multiple times and returns multiple X-CSRF-TOKEN values.
  • Issue is not reproducible if SMP is set to communicate with only one Netweaver gateway (without going via the loadbalancer).
  • Netweaver Gateway responds with an "HTTP 403 CSRF token validation failed" to an HTTP POST request with the latest X-CSRF-TOKEN returned from an HTTP GET Request. The response from the Netweaver gateway looks like the one below:

HTTP/1.1 403 Forbidden

content-type: text/plain; charset=utf-8

content-length: 28

x-csrf-token: Required

server: SAP NetWeaver Application Server / ABAP 731

CSRF token validation failed



  • Sybase Unwired Platform 2.2.x / SAP Mobile Platform 2.3.x-3.0.x
  • oData Application type
  • All Supported Mobile Operating Systems


Load Balancer third party , KBA , MOB-SUP-ODP , Sybase Unwired Platform Online Data Proxy , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP ONE Support launchpad (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.