Expand my Community achievements bar.

Dive into Adobe Summit 2024! Explore curated list of AEM sessions & labs, register, connect with experts, ask questions, engage, and share insights. Don't miss the excitement.
SOLVED

Form submission is getting failed with Empty CSRF token error entry in logs

Avatar

Level 3

hi Team ,

 

Need some urgent help on the following issue for my project. We are on AEM 6.5.3.

PROBLEM DESCRIPTION 

On our production sites, when some of the users, submit forms, they see a broken page instead of a proper thank you page. This is an intermittent issue but has an impact on a large number of users.

 

LOGS

When checking error logs, we found the below logs. There is no further entry in the error logs on publishers regarding form failure.

02.02.2021 12:21:42.056 *INFO* [10.43.32.27 [1612268502054] POST /content/project_name/language-masters/en/forms/content-preference-center/_jcr_content/root/responsivegrid/maincontentcontainer/100contentcontain/center/form.post.html HTTP/1.1] com.adobe.granite.csrf.impl.CSRFFilter isValidRequest: empty CSRF token - rejecting 02.02.2021 12:21:42.056 *INFO* [10.43.32.27 [1612268502054] POST /content/project_name/language-masters/en/forms/content-preference-center/_jcr_content/root/responsivegrid/maincontentcontainer/100contentcontain/center/form.post.html HTTP/1.1] com.adobe.granite.csrf.impl.CSRFFilter doFilter: the provided CSRF token is invalid It seems CSRF token is not getting associated with form requests or tokens are getting expired while submitting the form. In our OSGI configuration, we have POST, PUT and DELETE requests added for CSRF filters.

 

CHECKED THE FOLLOWING 

1. The Adobe Granite CSRF Framework config is in an Active state 

2. CSRF Servlet Config settings are as below:

samikshaa223429_0-1613116541700.png

3. The CSRF Component state is ACTIVE 

samikshaa223429_1-1613116579749.png

4. Adobe Granite CSRF Filter config settings are as below 

samikshaa223429_2-1613116614581.png

Let me know what could be a probable reason for this error. 

 

Thanks,

Samiksha

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

Are you able to replicate this issue in Stage (lower) environment ?

1) Is this working with direct publish URLs?

2) Validate with ELB url?

3) Is this issue with all domains or few domains?

4) Check the dispatcher configurations

5) Validate by flushing Dispatcher / CDN cache

 

If above all looks good, work with AMS to validate CDN

Then Check the CDN - if any URLs to whitelist 

/libs/granite/csrf path to whitelist on CDN

View solution in original post

4 Replies

Avatar

Correct answer by
Community Advisor

Are you able to replicate this issue in Stage (lower) environment ?

1) Is this working with direct publish URLs?

2) Validate with ELB url?

3) Is this issue with all domains or few domains?

4) Check the dispatcher configurations

5) Validate by flushing Dispatcher / CDN cache

 

If above all looks good, work with AMS to validate CDN

Then Check the CDN - if any URLs to whitelist 

/libs/granite/csrf path to whitelist on CDN

Avatar

Level 3

hi Suresh,

Answering the question below 

1) Is this working with direct publish URLs? - Yes 

2) Validate with ELB url? 

3) Is this issue with all domains or few domains? - WIth all domains

4) Check the dispatcher configurations - Verified the below dispatcher configs

  1. We tried to set clientlib dependency for forms component from “cq.jquery” to “granite.jquery”.
  2. We updated the dispatcher configuration to include CSRF_Token in the client headers.
  3. We checked all the filters related to csrf-token, they are already present in dispatcher filters.
  4. /0032 { /type "allow" /glob "* /libs/granite/csrf/token.json *" } in filters , also added deny for it to escape caching 
  5. /4321

    {

    /glob "/libs/granite/csrf/token.json"

    /type "deny"

    }

5) Validate by flushing Dispatcher / CDN cache - DONE

 

NOTE: It is noticed that it only occurs when there is an authenticated user session( logged in through a different page) exists in the browser. The form submission is currently unauthenticated, however, if the user is logged in through the support portal of the website, the form submission fails. Since we are not saving this token into our headers, if we move to any form and submit it, the form will get submitted with an empty token but the server treats the user as an authenticated user. Hence mismatch in CSRF tokens. 

 

Thanks,

Samiksha

Avatar

Community Advisor
Then Check AMS on CDN - ito whitelist /libs/granite/csrf path to whitelist on CDN

Avatar

Level 3
Does your form render CSRF token at all? Maybe the form has no capability to render it and hence it doesn't work.