Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.

:cq_csrf_token and form container core component

Avatar

Level 5

Hi masters!

I'm trying to use the 'Form Container', from core components (core/wcm/components/form/container/v2/container), to send emails, configuring the 'Action Type' to 'Mail'.

But when the form is sent to the thank you page, a 403 message is shown, and I can see this in the error.log:

17.06.2019 10:30:23.629 *INFO* [0:0:0:0:0:0:0:1 [1560760223623] POST /content/hesperiaweb/language-masters/es/contacto.html HTTP/1.1] com.adobe.granite.csrf.impl.CSRFFilter isValidRequest: empty CSRF token - rejecting

17.06.2019 10:30:23.629 *INFO* [0:0:0:0:0:0:0:1 [1560760223623] POST /content/hesperiaweb/language-masters/es/contacto.html HTTP/1.1] com.adobe.granite.csrf.impl.CSRFFilter doFilter: the provided CSRF token is invalid

I've done this in previous versions of AEM with the former 'foundation/components/form/start' component, and this component added the :cq_csrf_token field to the request. But it seems the new core component doesn't, or I miss something...

Could you help me?

Kind regards,

5 Replies

Avatar

Employee

You need to check that the CSRF-Token is passed in the /clientheaders section in Dispatcher.

Avatar

Level 5

Hi aem_marc.

I'm using only an AEM 6.5 author instance (no publish instance, no dispatcher). With admin user!

Thank you anyway!

Kind regards,

Avatar

Level 4

Hi Julio, have you solved this problem? I face a similar problem after trying to configure an external URL as a thank you page.

Avatar

Level 1

Hi @Julio_Baixauli,

I'm coming in very late to this question, but since this post comes up in searches for ":cq_csrf_token" it may help someone.

It appears that in AEM versions before 6.1 :cq_csrf_token was used passed in request headers.

After that, as @aemmarc says, CSRF-Token is passed in the request headers.

For example I'm working on legacy code which checks for :cq_csrf_token.

String csrf = request.getParameter(":cq_csrf_token");
if (StringUtils.isBlank(csrf)) {
    ...

Since we're switching to use AEM's CSRF Protection Framework, this doesn't work for us.

Changing to

String csrf = request.getParameter("CSRF-Token");
if (StringUtils.isBlank(csrf)) {
    ...

works.

Avatar

Level 1

Hello @Julio_Baixauli . The post is an old one, and I'm not sure whether the problem is actual now or not, but below you can find the solution for your case. Hope it will help others too.
The reason behind is, AEM will decline every POST, PUT, DELETE requests if the CSRF token is missing on author instance (authentication exists). For the publish instance or an anonymous, the CSRF token is empty, and that's fine, because there is no authnetication. The com.adobe.granite.csrf.impl.CSRFFilter checks and validates the scenarios described above.

For Core form container you can do the following: (Applicable for author instance)

 

  1. Create input element with type hidden and with name ":cq_csrf_token".
  2. Get the CSRF token using link - /libs/granite/csrf/token.json 
  3. Set the token to the input you have created, before form submission.

You can also send the token from Front-End using HTTP header - CSRF-Token.

Hope this helps !