Other kinds of cookies perform essential functions in the modern web.
Perhaps most importantly, authentication cookies are the most common method used by web servers to know whether the user is logged in or not, and which account they are logged in with.
On reentering the cached content etag is not validating
The protection against this risk are a combination of tooling – mail filters; and educating the users – do not just open any received mail.
But the request header is not automatically reused/added by the browser, and the malicious code must therefore explicly set it in the Xml Http Request.
However the CSRF Token value can only be retrieved and read by Java Script code that originates from the same domain as the Gateway webservice.
But in order to have SAP ICF and thus Gateway trust and next execute such a transactional request, the request must be signed with the CSRF-Token as secret key in request header cookie.
The browser automatically includes all the cookies in the request.
Cookies were designed to be a reliable mechanism for websites to remember stateful information (such as items added in the shopping cart in an online store) or to record the user's browsing activity (including clicking particular buttons, logging in, or recording which pages were visited in the past).
They can also be used to remember arbitrary pieces of information that the user previously entered into form fields such as names, addresses, passwords, and credit card numbers.
And Gateway is enabled to detect the malicious request as not being legitimate.