SharePoint 2013 (and previous versions) uses a
client side “token” to validate posts back to SharePoint to prevent
attacks where the user might be tricked into posting data back to the
server. This token is known by many names; form digest or message digest or request digest. The token is unique to a user and a site and is only valid for a (configurable) limited time.
When executing non-GET REST requests to the SharePoint API,
you must add a valid request digest to your request. This digest proves
validity of your request to SharePoint. Because this token is valid only
for a limited period of time, you have to ensure that the token you
have is valid before adding it to your request or the request fails.
var digest = $('#__REQUESTDIGEST').val();
$.ajax({
url: '/_api/web/...'
method: "POST",
headers: {
"Accept": "application/json; odata=nometadata",
"X-RequestDigest": digest
},
success: function (data) {
// ...
},
error: function (data, errorCode, errorMessage) {
// ...
}
});
Such a request would work initially, but if the user has the
page open for a longer period of time, the request digest on the page
expires and the request fails with a 403 FORBIDDEN
result. By default, a request digest token is valid for 30 minutes, so
before using it, you have to ensure that it's still valid. In the past
you had to do this manually, by comparing the timestamp from the request
digest with the current time.
No comments:
Post a Comment