Expand my Community achievements bar.

SOLVED

CSRF token call giving empty response in AEM publish

Avatar

Level 1

I am using CSRF token header in post form submission. In author instance, I am able to get CSRF token through call to /libs/granite/csrf/token.json but same call in publish instance is giving empty json i.e. { } when I am accessing it an anonymous user. Please let me know if there are any step to get valid CSRF token publish instance.

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

Hi @nitinfuture ,

 

CSRF is meant to protect authenticated sessions. The basic idea is: the server provides a CSRF token to the client for all authenticated sessions. The client should pass the same CSRF token to the server with each subsequent request. So if a request came without the token, the server should ignore / log it. Your CSRF token should ideally only be passed to the client upon authentication.

 

https://docs.adobe.com/content/help/en/experience-manager-65/developing/introduction/csrf-protection...

 

Screenshot 2020-08-21 at 00.15.52.png

However, you can make an AJAX request to the CSRF token endpoint (/libs/granite/csrf/token.json), and include the returned token in your servlet request as the “CSRF-Token” header. Please add below mentioned configurations in your dispatcher:

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/configuring-dispatcher-to-...

View solution in original post

1 Reply

Avatar

Correct answer by
Community Advisor

Hi @nitinfuture ,

 

CSRF is meant to protect authenticated sessions. The basic idea is: the server provides a CSRF token to the client for all authenticated sessions. The client should pass the same CSRF token to the server with each subsequent request. So if a request came without the token, the server should ignore / log it. Your CSRF token should ideally only be passed to the client upon authentication.

 

https://docs.adobe.com/content/help/en/experience-manager-65/developing/introduction/csrf-protection...

 

Screenshot 2020-08-21 at 00.15.52.png

However, you can make an AJAX request to the CSRF token endpoint (/libs/granite/csrf/token.json), and include the returned token in your servlet request as the “CSRF-Token” header. Please add below mentioned configurations in your dispatcher:

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/configuring-dispatcher-to-...