Hello,

I'm experiencing some problems with the password-based authentication...3 different cookies are returned by the FortiOS and must be used when requesting a new action. I pass them back in a POST request to close an IP session:

POST /api/v2/monitor/firewall/session/close?vdom=root HTTP/1.1 Host: 10.20.0.1 User-Agent: XXXX Accept: text/html Cookie: ccsrftoken_10656386745237807568="DCE862FD87E523BEE641546449B5AF3C"; APSCOOKIE_10656386745237807568="Era%3D0%26Payload%3DYMNNBUoKmNoiinWPLyZGSE8b++PURX2fjApAJHICiNOs6nJg5nZWzpy6qZbt4oET%0AvqeYC839nOfmZIyC7KEXGHuS43fnJXVJFCZrhCnzkZt66ouxIwbzhgoNsIeeiDpP%0AIO+TLdDC%2FVi80I1EFfGAjYSiQ6Nckwrkh4Oau7Yi6K1Lhv3%2FH13hdi9S79fb5H8u%0A0SdhT0P8kB69%2FY8i7IWudw%3D%3D%0A%26AuthHash%3DbC4cjbd9fNwWXsuBcP2TvWYQH2YA%0A"; ccsrftoken="DCE862FD87E523BEE641546449B5AF3C" Content-Length: 87 Content-Type: application/json {'pro':"TCP", 'saddr':"172.16.4.21", 'daddr':"172.16.4.1", 'sport':2489, 'dport':135}

But I get an error back (here the debugging output from FortiOS):

[size="2"][httpsd 282 - 1511087694 info] handle_req_v2_vdom[2522] -- new API request (action='close',path='firewall',name='session',vdom='root',user='admin') [/size]

[size="2"][httpsd 282 - 1511087694 error] is_valid_csrf_token[2845] -- no CSRF token found [/size]

[size="2"][httpsd 282 - 1511087694 error] api_monitor_execute_handler[2400] -- no valid CSRF token found [/size]

If I issue a GET, even without a CSRF token, for instance requesting "api/v2/monitor/user/banned/select/", that will always work (after having successfully submitted credentials to "/logincheck")

Thanks