Developer

AOS 8.10.0.10 Conductor and clusters

Hello,

I'm not a programmer but use the API to do a few tasks. I noticed that here https://www.arubanetworks.com/techdocs/ArubaOS_87_Web_Help/Content/nbapiguide/prerequisites.htm it says:

"Starting from ArubaOS 8.7.0.0, UIDARUBA is deprecated. The X-CSRF-Token will be used in the header. The UIDARUBA is still available for backward compatibility with older ArubaOS firmware versions."

I have always used UIDARUBA up til now, but thought I should start updating my scripts to use X-CSRF-Token. I was hoping I could just parse X-CSRF-Token from the login request (instead of UIDARUBA) and then add that to the header of my next request instead of the UIDARUBA token, but I keep getting 401 unauthorised.

I seem to be getting the token itself fine, but then my next request fails:

            url = f"https://{mc}:4343/v1/configuration/object/reload"            body = {                "force": True            }            querystring = {"config_path": "/md"}   # UIDARUBA deprecated (removed from querystring) , switched to X-CSRF-Token 18/03/2024            headers = {                "Content-Type": "application/json",                "Accept" : "application/json",                "Cookie" : f"SESSION={uid}",                "X-CSRF-Token" : f"{uid}"                }            response = requests.request("POST", url, json=body, headers=headers, verify=False, params=querystring)

 What am I doing wrong here? I'm also not really sure what "Cookie" does but I've always included it, I must have got it from some documentation at some point. It was previously set to the UIDARUBA, but now 'uid' is the X-CSRF-Token.

Hi cauliflower, 

I always use uidaruba....

do you have check the log ? or output of error request ? 

AOS 8.10.0.10 Conductor and clusters

Hello,

I'm not a programmer but use the API to do a few tasks. I noticed that here https://www.arubanetworks.com/techdocs/ArubaOS_87_Web_Help/Content/nbapiguide/prerequisites.htm it says:

"Starting from ArubaOS 8.7.0.0, UIDARUBA is deprecated. The X-CSRF-Token will be used in the header. The UIDARUBA is still available for backward compatibility with older ArubaOS firmware versions."

I have always used UIDARUBA up til now, but thought I should start updating my scripts to use X-CSRF-Token. I was hoping I could just parse X-CSRF-Token from the login request (instead of UIDARUBA) and then add that to the header of my next request instead of the UIDARUBA token, but I keep getting 401 unauthorised.

I seem to be getting the token itself fine, but then my next request fails:

            url = f"https://{mc}:4343/v1/configuration/object/reload"            body = {                "force": True            }            querystring = {"config_path": "/md"}   # UIDARUBA deprecated (removed from querystring) , switched to X-CSRF-Token 18/03/2024            headers = {                "Content-Type": "application/json",                "Accept" : "application/json",                "Cookie" : f"SESSION={uid}",                "X-CSRF-Token" : f"{uid}"                }            response = requests.request("POST", url, json=body, headers=headers, verify=False, params=querystring)

 What am I doing wrong here? I'm also not really sure what "Cookie" does but I've always included it, I must have got it from some documentation at some point. It was previously set to the UIDARUBA, but now 'uid' is the X-CSRF-Token.

AOS 8.10.0.10 Conductor and clusters

Hello,

I'm not a programmer but use the API to do a few tasks. I noticed that here https://www.arubanetworks.com/techdocs/ArubaOS_87_Web_Help/Content/nbapiguide/prerequisites.htm it says:

"Starting from ArubaOS 8.7.0.0, UIDARUBA is deprecated. The X-CSRF-Token will be used in the header. The UIDARUBA is still available for backward compatibility with older ArubaOS firmware versions."

I have always used UIDARUBA up til now, but thought I should start updating my scripts to use X-CSRF-Token. I was hoping I could just parse X-CSRF-Token from the login request (instead of UIDARUBA) and then add that to the header of my next request instead of the UIDARUBA token, but I keep getting 401 unauthorised.

I seem to be getting the token itself fine, but then my next request fails:

            url = f"https://{mc}:4343/v1/configuration/object/reload"            body = {                "force": True            }            querystring = {"config_path": "/md"}   # UIDARUBA deprecated (removed from querystring) , switched to X-CSRF-Token 18/03/2024            headers = {                "Content-Type": "application/json",                "Accept" : "application/json",                "Cookie" : f"SESSION={uid}",                "X-CSRF-Token" : f"{uid}"                }            response = requests.request("POST", url, json=body, headers=headers, verify=False, params=querystring)

 What am I doing wrong here? I'm also not really sure what "Cookie" does but I've always included it, I must have got it from some documentation at some point. It was previously set to the UIDARUBA, but now 'uid' is the X-CSRF-Token.

This is what works for me... on the login, I get the following json-response (redacted):

{'_global_result': {'status': '0', 'status_str': "You've logged in successfully.", 'UIDARUBA': 'ZTc1Njredacted1', 'X-CSRF-Token': 'NzhiM2redacted2'}}

Then in the follow-up calls, I put this in the header:

{'X-CSRF-Token': 'NzhiM2redacted2'}

The Cookies:

{'SESSION': 'MzljMredacted1}

And in addition, I use the cookie function to collect/store/cache and send cookies that were received earlier.

I think SID is session ID, which seems to sit in the cookies. But most important from your example is that the SESSION cookie and X-CSRF-Token are different values, which also make sense for a CSRF mechanism.

AOS 8.10.0.10 Conductor and clusters

Hello,

I'm not a programmer but use the API to do a few tasks. I noticed that here https://www.arubanetworks.com/techdocs/ArubaOS_87_Web_Help/Content/nbapiguide/prerequisites.htm it says:

"Starting from ArubaOS 8.7.0.0, UIDARUBA is deprecated. The X-CSRF-Token will be used in the header. The UIDARUBA is still available for backward compatibility with older ArubaOS firmware versions."

I have always used UIDARUBA up til now, but thought I should start updating my scripts to use X-CSRF-Token. I was hoping I could just parse X-CSRF-Token from the login request (instead of UIDARUBA) and then add that to the header of my next request instead of the UIDARUBA token, but I keep getting 401 unauthorised.

I seem to be getting the token itself fine, but then my next request fails:

            url = f"https://{mc}:4343/v1/configuration/object/reload"            body = {                "force": True            }            querystring = {"config_path": "/md"}   # UIDARUBA deprecated (removed from querystring) , switched to X-CSRF-Token 18/03/2024            headers = {                "Content-Type": "application/json",                "Accept" : "application/json",                "Cookie" : f"SESSION={uid}",                "X-CSRF-Token" : f"{uid}"                }            response = requests.request("POST", url, json=body, headers=headers, verify=False, params=querystring)

 What am I doing wrong here? I'm also not really sure what "Cookie" does but I've always included it, I must have got it from some documentation at some point. It was previously set to the UIDARUBA, but now 'uid' is the X-CSRF-Token.

Thanks Herman,

So previously I would just obtain a UIDARUBA using login and it looks like this is what was also set as the SESSION cookie value in the headers.  So how do I obtain a different value to use as the SESSION cookie?

What are the implications of continuing to use UIDARUBA in the way I am? Is it considered insecure now? 

And will the UIDARUBA method disappear at some point?

Apologies for the many questions, as I say, I'm not a programmer so some of this is new to me

Guy

This is what works for me... on the login, I get the following json-response (redacted):

{'_global_result': {'status': '0', 'status_str': "You've logged in successfully.", 'UIDARUBA': 'ZTc1Njredacted1', 'X-CSRF-Token': 'NzhiM2redacted2'}}

Then in the follow-up calls, I put this in the header:

{'X-CSRF-Token': 'NzhiM2redacted2'}

The Cookies:

{'SESSION': 'MzljMredacted1}

And in addition, I use the cookie function to collect/store/cache and send cookies that were received earlier.

I think SID is session ID, which seems to sit in the cookies. But most important from your example is that the SESSION cookie and X-CSRF-Token are different values, which also make sense for a CSRF mechanism.

AOS 8.10.0.10 Conductor and clusters

Hello,

I'm not a programmer but use the API to do a few tasks. I noticed that here https://www.arubanetworks.com/techdocs/ArubaOS_87_Web_Help/Content/nbapiguide/prerequisites.htm it says:

"Starting from ArubaOS 8.7.0.0, UIDARUBA is deprecated. The X-CSRF-Token will be used in the header. The UIDARUBA is still available for backward compatibility with older ArubaOS firmware versions."

I have always used UIDARUBA up til now, but thought I should start updating my scripts to use X-CSRF-Token. I was hoping I could just parse X-CSRF-Token from the login request (instead of UIDARUBA) and then add that to the header of my next request instead of the UIDARUBA token, but I keep getting 401 unauthorised.

I seem to be getting the token itself fine, but then my next request fails:

            url = f"https://{mc}:4343/v1/configuration/object/reload"            body = {                "force": True            }            querystring = {"config_path": "/md"}   # UIDARUBA deprecated (removed from querystring) , switched to X-CSRF-Token 18/03/2024            headers = {                "Content-Type": "application/json",                "Accept" : "application/json",                "Cookie" : f"SESSION={uid}",                "X-CSRF-Token" : f"{uid}"                }            response = requests.request("POST", url, json=body, headers=headers, verify=False, params=querystring)

 What am I doing wrong here? I'm also not really sure what "Cookie" does but I've always included it, I must have got it from some documentation at some point. It was previously set to the UIDARUBA, but now 'uid' is the X-CSRF-Token.

This is what works for me... on the login, I get the following json-response (redacted):

{'_global_result': {'status': '0', 'status_str': "You've logged in successfully.", 'UIDARUBA': 'ZTc1Njredacted1', 'X-CSRF-Token': 'NzhiM2redacted2'}}

Then in the follow-up calls, I put this in the header:

{'X-CSRF-Token': 'NzhiM2redacted2'}

The Cookies:

{'SESSION': 'MzljMredacted1}

And in addition, I use the cookie function to collect/store/cache and send cookies that were received earlier.

I think SID is session ID, which seems to sit in the cookies. But most important from your example is that the SESSION cookie and X-CSRF-Token are different values, which also make sense for a CSRF mechanism.

AOS 8.10.0.10 Conductor and clusters

Hello,

I'm not a programmer but use the API to do a few tasks. I noticed that here https://www.arubanetworks.com/techdocs/ArubaOS_87_Web_Help/Content/nbapiguide/prerequisites.htm it says:

"Starting from ArubaOS 8.7.0.0, UIDARUBA is deprecated. The X-CSRF-Token will be used in the header. The UIDARUBA is still available for backward compatibility with older ArubaOS firmware versions."

I have always used UIDARUBA up til now, but thought I should start updating my scripts to use X-CSRF-Token. I was hoping I could just parse X-CSRF-Token from the login request (instead of UIDARUBA) and then add that to the header of my next request instead of the UIDARUBA token, but I keep getting 401 unauthorised.

I seem to be getting the token itself fine, but then my next request fails:

            url = f"https://{mc}:4343/v1/configuration/object/reload"            body = {                "force": True            }            querystring = {"config_path": "/md"}   # UIDARUBA deprecated (removed from querystring) , switched to X-CSRF-Token 18/03/2024            headers = {                "Content-Type": "application/json",                "Accept" : "application/json",                "Cookie" : f"SESSION={uid}",                "X-CSRF-Token" : f"{uid}"                }            response = requests.request("POST", url, json=body, headers=headers, verify=False, params=querystring)

 What am I doing wrong here? I'm also not really sure what "Cookie" does but I've always included it, I must have got it from some documentation at some point. It was previously set to the UIDARUBA, but now 'uid' is the X-CSRF-Token.