Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
Read More & Register today!
SOLVED

CSRF Token | Intermittent Empty Response | Encapsulated Token Support

Avatar

Employee
Employee
6/30/23 1:27:33 PM

Background
Customer is on AEM 6.5 on-prem and trying to enable the CSRF token and accessing the CSRF token via dispatcher. The token is sometimes generated correctly and sometimes gives a blank response. - The issue is only happening on UAT environment , where there are 2 publishers and 4 dispatchers attached. When we disabled other 3 dispatchers and publishers and checked the scenario with only 1 publisher and 1 dispatcher , then there is no issues and the token is generated successfully at all times. Only when all publishers/dispatchers are enabled the CSRF token is returned blank intermittently. 
We have verified, customer has put
1.  granite.csrf.standalone dependency in the required templates
2. Dispatcher configurations for CSRF support has been added for both filter and cache rules
3. HMAC Key has been replicated from author to the 2 publishers. 

To fix this issue we tried enabling the Encapsulated Token Support on UAT Publish 1. After that the CSRF token was generated successfully at all time while accessing via the dispatcher, but after sometime the Publish 1 instance got corrupted and below error was noted : 

java.io.IOException: java.io.IOException: org.apache.jackrabbit.core.data.DataStoreException: Record f097b81997116c7596eb2b7d88448f515808e49db4082dd908886cb535ecefdb does not exist. 

Customer recreated Publish 1 instance and again configured the  Encapsulated Token Support. Again the instance got corrupted. 
Questions: 
1. Intermittently CSRF token is coming blank while accessing via dispatcher url on UAT environment , where there are multiple publishers and dispatchers. With single publish and dispatcher the CSRF token is generated successfully at all times. What could be the fix to this ?
2. The issue seemed to be fixed when we enabled Enapsulated token support on UAT publish1, but the instance got corrupted after sometime.(Error mentioned above) What could be done to fix this if this is the right approach?

Views

827

Replies

4
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Community Advisor
Community Advisor
7/3/23 12:02:09 AM

Hello @Himanshu_Phulara - 

 

The issue you're facing with the CSRF token and the intermittent blank response could be related to the configuration and setup of your AEM environment. Here are some suggestions to address your questions:

 

1. Fixing Intermittent Blank CSRF Token:

  • Double-check the Dispatcher configurations for all dispatchers to ensure that the CSRF support has been correctly added in both filter and cache rules.
  • Validate that the Dispatcher caching is properly configured to avoid any caching conflicts that might affect the CSRF token generation.
  • If you're using Akamai/Fastly, review its settings to ensure that it is correctly forwarding requests to the appropriate publishers and dispatchers. (double-check through logs once)
  • Also could you please check/share the Dispatcher logs for any relevant errors/warnings that might give more highlights on the intermittent blank issue?

 

2. Encapsulated Token Support and Instance Corruption:

  • Double-check the configuration of Encapsulated Token Support on UAT Publish 1 to ensure that it is properly set up according to Adobe's documentation & best practices.
  • Analyze the logs of the corrupted instance to identify any specific errors or issues that occurred after enabling Encapsulated Token Support. Look for any potential conflicts or misconfigurations that might have led to the instance corruption.
  • If enabling Encapsulated Token Support consistently leads to instance corruption. You may want to explore alternative approaches or configurations that provide a stable CSRF token generation.

View solution in original post

Views

785

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
4 Replies

Avatar

Community Advisor
Community Advisor
7/2/23 7:20:19 PM

@Himanshu_Phulara have you checked the request flow when empty response is received? Is it getting served from dispatcher or publisher? Is it any consistent pattern of one publisher serving empty response or is it random? What if we hit same publisher directly during the same time.

Views

798

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
7/2/23 8:34:58 PM

@Himanshu_Phulara 

 

I guess one way to fix the issue would be to use the 1:1 dispatcher and publish mapping and with this approach you can configure the sticky sessions, which ensures that the token retry is always successful. 

 

With the existing setup (2 publish & 4 dispatchers), is there any user sync running on the publish instances? If yes, disable the sync and test the tokens.

 

Thanks

Lokesh 

Views

793

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Employee
Employee
7/13/23 3:03:11 AM
In response to Lokesh_Vajrala

Hi Lokesh,
With sticky connections although a user would always be directed to the same publish instance, As a consequence, truly optimal load balancing is not possible. In case a publish instance becomes unavailable, all the users authenticated on that instance will lose their session.

Views

639

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Community Advisor
Community Advisor
7/3/23 12:02:09 AM

Hello @Himanshu_Phulara - 

 

The issue you're facing with the CSRF token and the intermittent blank response could be related to the configuration and setup of your AEM environment. Here are some suggestions to address your questions:

 

1. Fixing Intermittent Blank CSRF Token:

  • Double-check the Dispatcher configurations for all dispatchers to ensure that the CSRF support has been correctly added in both filter and cache rules.
  • Validate that the Dispatcher caching is properly configured to avoid any caching conflicts that might affect the CSRF token generation.
  • If you're using Akamai/Fastly, review its settings to ensure that it is correctly forwarding requests to the appropriate publishers and dispatchers. (double-check through logs once)
  • Also could you please check/share the Dispatcher logs for any relevant errors/warnings that might give more highlights on the intermittent blank issue?

 

2. Encapsulated Token Support and Instance Corruption:

  • Double-check the configuration of Encapsulated Token Support on UAT Publish 1 to ensure that it is properly set up according to Adobe's documentation & best practices.
  • Analyze the logs of the corrupted instance to identify any specific errors or issues that occurred after enabling Encapsulated Token Support. Look for any potential conflicts or misconfigurations that might have led to the instance corruption.
  • If enabling Encapsulated Token Support consistently leads to instance corruption. You may want to explore alternative approaches or configurations that provide a stable CSRF token generation.

Views

786

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
Related Conversations
AEMaaCS supports Cloudfare CDN? Solved

Views

81

Likes

0

Replies

2
is AEM 6.5 supported on Ubuntu 24.04 Solved

Views

183

Likes

0

Replies

1
Support Image and Video in OTB AEM Teaser Component Solved

Views

344

Likes

0

Replies

3
Does Adobe support Composite Multifield in Content Fragment? Solved

Views

156

Likes

0

Replies

1
Need help in Purge tokens for CDN and how to generate them Solved

Views

199

Likes

0

Replies

1