Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

:cq_csrf_token and form container core component

Julio_Baixauli
Level 4
Level 4

Hi masters!

I'm trying to use the 'Form Container', from core components (core/wcm/components/form/container/v2/container), to send emails, configuring the 'Action Type' to 'Mail'.

But when the form is sent to the thank you page, a 403 message is shown, and I can see this in the error.log:

17.06.2019 10:30:23.629 *INFO* [0:0:0:0:0:0:0:1 [1560760223623] POST /content/hesperiaweb/language-masters/es/contacto.html HTTP/1.1] com.adobe.granite.csrf.impl.CSRFFilter isValidRequest: empty CSRF token - rejecting

17.06.2019 10:30:23.629 *INFO* [0:0:0:0:0:0:0:1 [1560760223623] POST /content/hesperiaweb/language-masters/es/contacto.html HTTP/1.1] com.adobe.granite.csrf.impl.CSRFFilter doFilter: the provided CSRF token is invalid

I've done this in previous versions of AEM with the former 'foundation/components/form/start' component, and this component added the :cq_csrf_token field to the request. But it seems the new core component doesn't, or I miss something...

Could you help me?

Kind regards,

4 Replies
aemmarc
Employee
Employee

You need to check that the CSRF-Token is passed in the /clientheaders section in Dispatcher.

Julio_Baixauli
Level 4
Level 4

Hi aem_marc.

I'm using only an AEM 6.5 author instance (no publish instance, no dispatcher). With admin user!

Thank you anyway!

Kind regards,

victor_toledo_3
Level 3
Level 3

Hi Julio, have you solved this problem? I face a similar problem after trying to configure an external URL as a thank you page.

David_McKinnon
Level 1
Level 1

Hi @Julio_Baixauli,

I'm coming in very late to this question, but since this post comes up in searches for ":cq_csrf_token" it may help someone.

It appears that in AEM versions before 6.1 :cq_csrf_token was used passed in request headers.

After that, as @aemmarc says, CSRF-Token is passed in the request headers.

For example I'm working on legacy code which checks for :cq_csrf_token.

String csrf = request.getParameter(":cq_csrf_token");
if (StringUtils.isBlank(csrf)) {
    ...

Since we're switching to use AEM's CSRF Protection Framework, this doesn't work for us.

Changing to

String csrf = request.getParameter("CSRF-Token");
if (StringUtils.isBlank(csrf)) {
    ...

works.