Highlighted

csrf token publish vs dispatcher (login vs logout) and POST ajax requests

Avatar

Avatar

sreenu539

Avatar

sreenu539

sreenu539

06-12-2017

csrf token is available when logged into publish environment.

csrf token is not avilable when logged out of aem publish environment

csrf token is not available all the time on dispatcher environment whether you logged into publish or not.

Dispatcher:

Application is accessed using dispatcher url:

POST ajax requests are failing when token is not available on IE (promis.reject), in chrome it is silently going into promise resolve method of csrf.js even though token is not available.

Am I missing anything here?

Application does not depend on client library granite.jquery or cq.jquery but it seems by default AEM 6.3 has this feature enabled and for all ajax requests csrf.js file code gets executed.

I appreciate any help.

Thanks,

Sreeni

Replies

Highlighted

Avatar

Avatar

smacdonald2008

Total Posts

12.7K

Likes

1.4K

Correct Answer

2.3K

Avatar

smacdonald2008

Total Posts

12.7K

Likes

1.4K

Correct Answer

2.3K
smacdonald2008

06-12-2017

Checking with our internal Dispatcher experts here.

Highlighted

Avatar

Avatar

smacdonald2008

Total Posts

12.7K

Likes

1.4K

Correct Answer

2.3K

Avatar

smacdonald2008

Total Posts

12.7K

Likes

1.4K

Correct Answer

2.3K
smacdonald2008

07-12-2017

They replied:

They have to allow /libs/granite/csrf/token.json via the dispatcher any filter rules.  Also, csrf/token.json doesn’t work for anonymous form POST requests, only for ones where the user is logged in.

Highlighted

Avatar

Avatar

sreenu539

Avatar

sreenu539

sreenu539

07-12-2017

Application has filter to allow /libs/granite/csrf/token.json.

User is always anonymous and unauthenticated, when accessing application through dispatcher url.

token.json always returns empty response {} as user is anonymous .

promise code inside csrf.js intermittently executing promise.resolve, promise.reject for POST requests, when code executes following lines, application hangs.

promise.then(function(token) {

self.setRequestHeader(HEADER_NAME, token);

send.apply(self, args);

        }, function() {

            if (window.console) {

                console.error('Unable to read CSRF meta information');

            }

send.apply(self, args);

        });

Thanks,

Sreeni

Highlighted

Avatar

Avatar

sreenu539

Avatar

sreenu539

sreenu539

07-12-2017

Contexhub related calls giving "invalidstateerror" and then "Unable to read csrf meta information".

If I disable contexthub, page works fine.

Thanks,

Sreeni

Highlighted

Avatar

Avatar

smacdonald2008

Total Posts

12.7K

Likes

1.4K

Correct Answer

2.3K

Avatar

smacdonald2008

Total Posts

12.7K

Likes

1.4K

Correct Answer

2.3K
smacdonald2008

08-12-2017

I recommend checking this with Support as there could be a bug. I am not reading anything in the docs to suggest that this is normal behavior.