Expand my Community achievements bar.

Dive into Adobe Summit 2024! Explore curated list of AEM sessions & labs, register, connect with experts, ask questions, engage, and share insights. Don't miss the excitement.

csrf token publish vs dispatcher (login vs logout) and POST ajax requests

Avatar

Level 7

csrf token is available when logged into publish environment.

csrf token is not avilable when logged out of aem publish environment

csrf token is not available all the time on dispatcher environment whether you logged into publish or not.

Dispatcher:

Application is accessed using dispatcher url:

POST ajax requests are failing when token is not available on IE (promis.reject), in chrome it is silently going into promise resolve method of csrf.js even though token is not available.

Am I missing anything here?

Application does not depend on client library granite.jquery or cq.jquery but it seems by default AEM 6.3 has this feature enabled and for all ajax requests csrf.js file code gets executed.

I appreciate any help.

Thanks,

Sreeni

5 Replies

Avatar

Level 10

Checking with our internal Dispatcher experts here.

Avatar

Level 10

They replied:

They have to allow /libs/granite/csrf/token.json via the dispatcher any filter rules.  Also, csrf/token.json doesn’t work for anonymous form POST requests, only for ones where the user is logged in.

Avatar

Level 7

Application has filter to allow /libs/granite/csrf/token.json.

User is always anonymous and unauthenticated, when accessing application through dispatcher url.

token.json always returns empty response {} as user is anonymous .

promise code inside csrf.js intermittently executing promise.resolve, promise.reject for POST requests, when code executes following lines, application hangs.

promise.then(function(token) {

self.setRequestHeader(HEADER_NAME, token);

send.apply(self, args);

        }, function() {

            if (window.console) {

                console.error('Unable to read CSRF meta information');

            }

send.apply(self, args);

        });

Thanks,

Sreeni

Avatar

Level 7

Contexhub related calls giving "invalidstateerror" and then "Unable to read csrf meta information".

If I disable contexthub, page works fine.

Thanks,

Sreeni

Avatar

Level 10

I recommend checking this with Support as there could be a bug. I am not reading anything in the docs to suggest that this is normal behavior.