Expand my Community achievements bar.

SOLVED

CSRF token is empty in 6.3 publisher for anonymous user

Avatar

Level 1
Level 1
10/10/18 3:35:40 AM

In the anonymous user POST calls, i want to enable the CSRF token. However its empty, {} in the publish instance of AEM 6.3. I have added the configurations mentioned in the below link, but it is not working.

Adobe Experience Manager Help | Understanding Cross-Origin Resource Sharing (CORS) with AEM

Can anyone suggest what might be wrong?

Views

556

Replies

1
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Community Advisor
Community Advisor
5/21/24 3:56:46 AM

CSRF is meant to protect authenticated sessions. The basic idea is: the server provides a CSRF token to the client for all authenticated sessions. The client should pass the same CSRF token to the server with each subsequent request. So if a request came without the token, the server should ignore / log it. Your CSRF token should ideally only be passed to the client upon authentication.

 

https://docs.adobe.com/content/help/en/experience-manager-65/developing/introduction/csrf-protection...

 

aanchalsikka_0-1716288984894.png

 

However, you can make an AJAX request to the CSRF token endpoint (/libs/granite/csrf/token.json), and include the returned token in your servlet request as the “CSRF-Token” header. Please add below mentioned configurations in your dispatcher:

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/configuring-dispatcher-to-...

Aanchal Sikka

View solution in original post

Views

73

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
1 Reply

Avatar

Correct answer by
Community Advisor
Community Advisor
5/21/24 3:56:46 AM

CSRF is meant to protect authenticated sessions. The basic idea is: the server provides a CSRF token to the client for all authenticated sessions. The client should pass the same CSRF token to the server with each subsequent request. So if a request came without the token, the server should ignore / log it. Your CSRF token should ideally only be passed to the client upon authentication.

 

https://docs.adobe.com/content/help/en/experience-manager-65/developing/introduction/csrf-protection...

 

aanchalsikka_0-1716288984894.png

 

However, you can make an AJAX request to the CSRF token endpoint (/libs/granite/csrf/token.json), and include the returned token in your servlet request as the “CSRF-Token” header. Please add below mentioned configurations in your dispatcher:

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/configuring-dispatcher-to-...

Aanchal Sikka

Views

74

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
Related Conversations
Latest updated asset is not updating on page with Activate later Page in AEM

Views

31

Likes

0

Replies

0
Adaptive Form Email Template in Other Language

Views

21

Likes

0

Replies

0
When both author and publisher are set up locally, both author and publisher get signed out frequently.

Views

15

Likes

0

Replies

0
How to set a limit to parasys to allow a number of components in AEM

Views

87

Likes

0

Replies

2
Purging CDN cache in AEMaCs (Using Adobe CDN)

Views

52

Likes

0

Replies

1