Invalidate CSRF Token

Avatar

divyav15815834

08-07-2020

Hi,

 

We know currently CSRF token has expiration set to 10 mins and token is generated every 5 minutes.

 

We have a requirement wherein they do not want the "CSRF Token" submitted on the POST request to be used again. In scenarios where we have multiple steps(POST requests) in a flow or when you try to replay the XHR request, it uses the same CSRF token for every form submit.

Is there any way we can invalidate the CSRF token once it is used and regenerate a new one for the subsequent requests?

 

Thanks,

Divya

AEM CSRF Token

Accepted Solutions (1)

Accepted Solutions (1)

Avatar

Vaibhavi

MVP

08-07-2020

Hi @divyav15815834 ,

 

As you have mentioned expiration set to 10 mins and token is generated every 5 minutes.

It is not recommended to update OOTB CSRF functionality. 

 

We can find the CSRF token in below path:

/libs/granite/csrf/token.json

Also, default script CSRF is available in below path:

/libs/clientlibs/granite/jquery/granite/csrf/source/csrf.js

 

Both are internal area and the adobe does not recommend to override.

 

An alternative solution would be:

You can disable the CSRF token generation by initializing empty window.Granite.csrf variable wherever is not necessary if you are implementing custom CSRF.

Below piece of script help in disabling the CSRF token generation:

<script type="text/javascript">
    window.Granite = window.Granite || {};
    window.Granite.csrf = {
    initialised: true
};
</script>

Please do consider the security checklist into consideration.

 

 

 

Answers (1)

Answers (1)

Avatar

ChitraMadan

MVP

09-07-2020

Hi @divyav15815834,

 

May be first try to set a very low expiration time and see the impact on your application.

 

chitra-madan_0-1594331786682.png

I am not sure what exactly is your use case but invalidating token on every request can cause usability issues.