Expand my Community achievements bar.

SOLVED

CSRF (/libs/granite/csrf/token.json) Call is loading from Edge Disc Cache

Avatar

Level 6
Level 6
5/23/23 10:32:39 PM

Hi,

 

After we enabled SAML authentication, all our post calls were failing with 403.

We resolved it by adding "granite.csrf.standalone" clientlib into template level.

 

But now in EDGE browser, after some idle time, CSRF token generation API(/libs/granite/csrf/token.json_ loading from Edge browser cache and not giving actual token as response.

Because of this all POST calls are failing with 403 until we clear cache manually.

 

Is there any way we can block this API loading from Disc cache(Browser) ?

 

akhilraj_0-1684906254528.png

Response:

akhilraj_1-1684906274903.png

Post Call:

akhilraj_3-1684906342089.png

 

Expected Response:

akhilraj_2-1684906296113.png

 

Views

1.0K

Replies

8
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Level 6
Level 6
5/25/23 8:40:50 PM
In response to aanchal-sikka

Thanks @aanchal-sikka for the information.

Actually, when it was loading from server no-cache was available for cache-control.

But when it is loading from disc it was not available.

 

And we have fixed the issue now.

 

Root Cause:

The issue appears to be caused by token.json file cached on the nodes where the issue is observed We have added the rule to disable caching of token.json on publish dispatchers and removed the cached file. 

 

/0003

      {

      #Deny caching of CSRF token.json

      /glob "/libs/granite/csrf/token.json"

      /type "deny"

      }

 

token.json cache was available for few dispatchers and it caused the issue. Post clearing dispatcher cache under /srv/www/cache/publish/libs/granite/csrf'  resolved the issue.

View solution in original post

Views

854

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
8 Replies

Avatar

Employee Advisor
Employee Advisor
5/23/23 11:30:31 PM

Hi @akhilraj ,

 

You could make use of cache configuration to control it for specific path(s).

 

 

Cache-Control: no-cache

 

 

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control 

 

Also, validate dispatcher configuration.

Under the /cache /rules section of your publish-farm.any, add a rule to block the dispatcher from caching the token.json file. 

https://experienceleague.adobe.com/docs/experience-manager-dispatcher/using/configuring/configuring-... 

 

Hope this helps!

 

Regards,

Nitesh

Views

1.0K

Replies

5
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 6
Level 6
5/24/23 12:02:22 AM
In response to nitesh_kumar

Hi @nitesh_kumar ,

 

We have this configuration already present.

akhilraj_0-1684911699168.png

But in EDGE browser after some time out, then it is loading from Browser cache only. and not giving proper response

Views

992

Replies

4
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 6
Level 6
5/24/23 12:15:13 AM
In response to akhilraj

Hi @akhilraj ,

So the issue is happening only for Edge browser ? How is the behaviour in Chrome, mozilla etc ?

Thanks,

Somen

Views

984

Replies

3
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 6
Level 6
5/24/23 10:26:10 PM
In response to somen-sarkar

Hi @somen-sarkar ,

 

issue is available in Chrome as well 

akhilraj_0-1684992317671.png

If we uncheck Disable cache, it is loading from disc cache.  But in lower environment it is always getting data from Server.

Views

892

Replies

2
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
5/25/23 11:02:35 AM
In response to akhilraj

Hello @akhilraj 

 

Can you please verify the value of Cache-control header in the request? For us, its set as no-cache and its not loaded from disk cache

 

aanchalsikka_0-1685037405233.png

 

- Do you have an AEM 6.5 or a Cloud Instance?

- If Cloud, could you have possibly used 

Define DISABLE_DEFAULT_CACHING

Please try setting the Cache-control header as nocache and check.

Aanchal Sikka

Views

862

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Level 6
Level 6
5/25/23 8:40:50 PM
In response to aanchal-sikka

Thanks @aanchal-sikka for the information.

Actually, when it was loading from server no-cache was available for cache-control.

But when it is loading from disc it was not available.

 

And we have fixed the issue now.

 

Root Cause:

The issue appears to be caused by token.json file cached on the nodes where the issue is observed We have added the rule to disable caching of token.json on publish dispatchers and removed the cached file. 

 

/0003

      {

      #Deny caching of CSRF token.json

      /glob "/libs/granite/csrf/token.json"

      /type "deny"

      }

 

token.json cache was available for few dispatchers and it caused the issue. Post clearing dispatcher cache under /srv/www/cache/publish/libs/granite/csrf'  resolved the issue.

Views

855

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Community Advisor
Community Advisor
5/24/23 12:09:13 AM

Hello @akhilraj 

 

requesting you to please validate if all configurations are done as per https://github.com/AdobeDocs/experience-manager-dispatcher.en/blob/main/help/using/configuring-dispa...

 

You can also exclude paths for validation using the approach suggested on https://www.albinsblog.com/2023/03/what-is-csrf-how-is-csrf-protection-enabled-in-aem.html

Aanchal Sikka

Views

989

Replies

1
Sign in to like this content

Total Likes

Translate
Translate