Intermittent authoring issue in AEM

Forum|Forum|8 hours ago
March 24, 2026
2 replies
6 views

Some of our authors reporting intermittent issue (like once a month per user behavior) while authoring pages in our internal prod author.

Issue is that they are not able to save component dialogs in middle of authoring work even though they are able to login and navigate through pages. They get error failed to submit form. Upon clearing cache for all time and logging in again only is fixing this issue. Same time they are able to edit and save using other browser.

upon checking HAR file we see that the csrf token request is giving 403 response (I think only post calls are not getting authenticated) and on further checking their login-token cookie is missing in the browser. This issue is not getting solved until they clear cache for all time and force login back.

Is there any reason why the login-token OOTB cookie get dropped or not being set for a logged in session (even though the user is logged in and can navigate through pages and even can see component edit dialogs)?

Below are some log lines at the same time user is trying to save component dialog-

04.03.2026 15:01:31.664 *INFO* [10.29.102.38 [1772636491662] POST <page_path> HTTP/1.1] com.adobe.granite.csrf.impl.CSRFFilter isValidRequest: empty CSRF token - rejecting
04.03.2026 15:01:31.664 *INFO* [10.29.102.38 [1772636491662] POST <page_path> HTTP/1.1] com.adobe.granite.csrf.impl.CSRFFilter doFilter: the provided CSRF token is invalid
04.03.2026 15:01:31.856 *INFO* [qtp342047583-17481] org.apache.sling.auth.core.impl.SlingAuthenticator getAnonymousResolver: Anonymous access not allowed by configuration - requesting credentials
04.03.2026 15:01:31.860 *WARN* [qtp342047583-17481] org.apache.sling.auth.core.AuthUtil isRedirectValid: Redirect target must not be empty or null

Experience Manager Sites

M

MuhammadSa11Author

Level 1

Correction - not the csrf toke is giving 403. it is the component dilaog submit post call giving 403.

AmitVishwakarma

Community Advisor

Hi @MuhammadSa11

You're right to focus on the login-token – that's the key here, not the token.json call.

From AEM's point of view, what's happening is:

The user's AEM session cookie (login-token) is gone or not sent on the failing POST.

The dialog submit is then treated as anonymous and hits the CSRF filter without a valid CSRF token > 403:

com.adobe.granite.csrf.impl.CSRFFilter isValidRequest: empty CSRF token - rejecting
com.adobe.granite.csrf.impl.CSRFFilter doFilter: the provided CSRF token is invalid
org.apache.sling.auth.core.impl.SlingAuthenticator getAnonymousResolver: Anonymous access not allowed by configuration

Navigation and opening dialogs still work because they're mostly GET requests and often cached/unprotected; only POST requires a valid login + CSRF token. The fact that:

login-token is missing on the failing POST,
it works in another browser, and
it's fixed by clearing browser data and logging in again

all point to client‑side cookie/session state getting out of sync, not a broken CSRF implementation.

1. Fix for affected authors

Instead of "clear cache for all time", do a surgical reset:

Open DevTools > Application/Storage >Cookies for your author URL (e.g. https://author.company.com).
Delete only AEM/IMS cookies for that host, especially:
- login-token
- any oauth-configid / IMS cookies for that org
Reload the author URL and log in once.

This is effectively the same as what you're doing now, but without wiping the whole browser cache.

2. Make sure authors always use one canonical author URL

The login-token cookie is host + path scoped. If people sometimes hit:

they'll end up with multiple, incompatible sessions, and some requests (like the dialog POST) may go out without the cookie.

Pick one canonical author URL (usually the https://author… one) and:

Communicate that to authors.
Make sure any bookmarks / intranet links use only that host.

3. Check you haven't customized token/CSRF auth in a risky way

On the server side, keep the auth stack as close to default as possible:

Token Authentication Handler (Granite Token Authentication Handler / TokenAuthenticationHandler):
Cookie name should be login-token.
Path should be /.
SameSite should be left at the product default for your version unless Support explicitly told you otherwise (mis‑setting SameSite can cause modern browsers to silently drop the cookie).
CSRF Filter: use the product defaults and make sure /libs/granite/csrf/token.json and the standard authoring POSTs are not blocked or cached by Dispatcher/CDN.

If you have custom OAuth/IMS/SAML auth handler configs, test once with all custom auth OSGi configs disabled (or in a lower env with stock auth) to confirm it's not a custom handler occasionally resetting or overwriting login-token.

If you can grab one HAR where the dialog POST fails and one where it succeeds, compare the Request Headers >Cookie line; you should see login-token present in the good case and missing in the bad one. That will give you something concrete to show infra/security if a proxy, extension, or SSO tweak is stripping or rewriting cookies.

Amit Vishwakarma - Adobe Commerce Champion 2025 | 16x Adobe certified | 4x Adobe SME

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded