Invalidate CSRF Token

Avatar

Avatar
Level 1
divyav15815834
Level 1

Likes

0 likes

Total Posts

5 posts

Correct reply

0 solutions
View profile

Avatar
Level 1
divyav15815834
Level 1

Likes

0 likes

Total Posts

5 posts

Correct reply

0 solutions
View profile
divyav15815834
Level 1

08-07-2020

Hi,

 

We know currently CSRF token has expiration set to 10 mins and token is generated every 5 minutes.

 

We have a requirement wherein they do not want the "CSRF Token" submitted on the POST request to be used again. In scenarios where we have multiple steps(POST requests) in a flow or when you try to replay the XHR request, it uses the same CSRF token for every form submit.

Is there any way we can invalidate the CSRF token once it is used and regenerate a new one for the subsequent requests?

 

Thanks,

Divya

Accepted Solutions (1)

Accepted Solutions (1)

Avatar

Avatar
Affirm 50
MVP
Vaibhavi
MVP

Likes

216 likes

Total Posts

181 posts

Correct reply

61 solutions
Top badges earned
Affirm 50
Validate 1
Ignite 1
Give Back 5
Give Back 3
View profile

Avatar
Affirm 50
MVP
Vaibhavi
MVP

Likes

216 likes

Total Posts

181 posts

Correct reply

61 solutions
Top badges earned
Affirm 50
Validate 1
Ignite 1
Give Back 5
Give Back 3
View profile
Vaibhavi
MVP

08-07-2020

Hi @divyav15815834 ,

 

As you have mentioned expiration set to 10 mins and token is generated every 5 minutes.

It is not recommended to update OOTB CSRF functionality. 

 

We can find the CSRF token in below path:

/libs/granite/csrf/token.json

Also, default script CSRF is available in below path:

/libs/clientlibs/granite/jquery/granite/csrf/source/csrf.js

 

Both are internal area and the adobe does not recommend to override.

 

An alternative solution would be:

You can disable the CSRF token generation by initializing empty window.Granite.csrf variable wherever is not necessary if you are implementing custom CSRF.

Below piece of script help in disabling the CSRF token generation:

<script type="text/javascript">
    window.Granite = window.Granite || {};
    window.Granite.csrf = {
    initialised: true
};
</script>

Please do consider the security checklist into consideration.

 

 

 

Answers (1)

Answers (1)

Avatar

Avatar
Boost 250
MVP
ChitraMadan
MVP

Likes

273 likes

Total Posts

165 posts

Correct reply

67 solutions
Top badges earned
Boost 250
Establish
Ignite 1
Give Back 5
Give Back 3
View profile

Avatar
Boost 250
MVP
ChitraMadan
MVP

Likes

273 likes

Total Posts

165 posts

Correct reply

67 solutions
Top badges earned
Boost 250
Establish
Ignite 1
Give Back 5
Give Back 3
View profile
ChitraMadan
MVP

09-07-2020

Hi @divyav15815834,

 

May be first try to set a very low expiration time and see the impact on your application.

 

chitra-madan_0-1594331786682.png

I am not sure what exactly is your use case but invalidating token on every request can cause usability issues.