Expand my Community achievements bar.

SOLVED

CSRF token is empty in 6.3 publisher for anonymous user

Avatar

Level 1
Level 1
10/10/18 3:35:40 AM

In the anonymous user POST calls, i want to enable the CSRF token. However its empty, {} in the publish instance of AEM 6.3. I have added the configurations mentioned in the below link, but it is not working.

Adobe Experience Manager Help | Understanding Cross-Origin Resource Sharing (CORS) with AEM

Can anyone suggest what might be wrong?

Views

640

Replies

1
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Community Advisor
Community Advisor
5/21/24 3:56:46 AM

CSRF is meant to protect authenticated sessions. The basic idea is: the server provides a CSRF token to the client for all authenticated sessions. The client should pass the same CSRF token to the server with each subsequent request. So if a request came without the token, the server should ignore / log it. Your CSRF token should ideally only be passed to the client upon authentication.

 

https://docs.adobe.com/content/help/en/experience-manager-65/developing/introduction/csrf-protection...

 

aanchalsikka_0-1716288984894.png

 

However, you can make an AJAX request to the CSRF token endpoint (/libs/granite/csrf/token.json), and include the returned token in your servlet request as the “CSRF-Token” header. Please add below mentioned configurations in your dispatcher:

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/configuring-dispatcher-to-...

Aanchal Sikka

View solution in original post

Views

157

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
1 Reply

Avatar

Correct answer by
Community Advisor
Community Advisor
5/21/24 3:56:46 AM

CSRF is meant to protect authenticated sessions. The basic idea is: the server provides a CSRF token to the client for all authenticated sessions. The client should pass the same CSRF token to the server with each subsequent request. So if a request came without the token, the server should ignore / log it. Your CSRF token should ideally only be passed to the client upon authentication.

 

https://docs.adobe.com/content/help/en/experience-manager-65/developing/introduction/csrf-protection...

 

aanchalsikka_0-1716288984894.png

 

However, you can make an AJAX request to the CSRF token endpoint (/libs/granite/csrf/token.json), and include the returned token in your servlet request as the “CSRF-Token” header. Please add below mentioned configurations in your dispatcher:

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/configuring-dispatcher-to-...

Aanchal Sikka

Views

158

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
Related Conversations
AEM Rockstar IX is open for submissions

Views

24

Likes

0

Replies

0
AEMaaCS: Is there a way to get usergenerated content from Publish to Author?

Views

154

Likes

0

Replies

4
Is there a way to Log request.headers in AEM CS Dispatcher?

Views

137

Likes

0

Replies

2
How to add validators for letters check?

Views

123

Likes

0

Replies

2
Clipping Path Details in Image Binary Metadata

Views

115

Likes

0

Replies

1