Adobe Experience Manager Sites & More

View profile · 08-07-2020

Hi,

We know currently CSRF token has expiration set to 10 mins and token is generated every 5 minutes.

We have a requirement wherein they do not want the "CSRF Token" submitted on the POST request to be used again. In scenarios where we have multiple steps(POST requests) in a flow or when you try to replay the XHR request, it uses the same CSRF token for every form submit.

Is there any way we can invalidate the CSRF token once it is used and regenerate a new one for the subsequent requests?

Thanks,

Divya

View profile · 08-07-2020

Hi @divyav15815834 ,

As you have mentioned expiration set to 10 mins and token is generated every 5 minutes.

It is not recommended to update OOTB CSRF functionality.

We can find the CSRF token in below path:

/libs/granite/csrf/token.json

Also, default script CSRF is available in below path:

/libs/clientlibs/granite/jquery/granite/csrf/source/csrf.js

Both are internal area and the adobe does not recommend to override.

An alternative solution would be:

You can disable the CSRF token generation by initializing empty window.Granite.csrf variable wherever is not necessary if you are implementing custom CSRF.

Below piece of script help in disabling the CSRF token generation:

Please do consider the security checklist into consideration.