Solved: Invalidate CSRF Token - Adobe Experience League Community

View profile · 08-07-2020

Hi,

We know currently CSRF token has expiration set to 10 mins and token is generated every 5 minutes.

We have a requirement wherein they do not want the "CSRF Token" submitted on the POST request to be used again. In scenarios where we have multiple steps(POST requests) in a flow or when you try to replay the XHR request, it uses the same CSRF token for every form submit.

Is there any way we can invalidate the CSRF token once it is used and regenerate a new one for the subsequent requests?

Thanks,

Divya

View profile · 08-07-2020

Hi @divyav15815834 ,

As you have mentioned expiration set to 10 mins and token is generated every 5 minutes.

It is not recommended to update OOTB CSRF functionality.

We can find the CSRF token in below path:

/libs/granite/csrf/token.json

Also, default script CSRF is available in below path:

/libs/clientlibs/granite/jquery/granite/csrf/source/csrf.js

Both are internal area and the adobe does not recommend to override.

An alternative solution would be:

You can disable the CSRF token generation by initializing empty window.Granite.csrf variable wherever is not necessary if you are implementing custom CSRF.

Below piece of script help in disabling the CSRF token generation:

Please do consider the security checklist into consideration.

View profile · 09-07-2020

Hi @divyav15815834,

May be first try to set a very low expiration time and see the impact on your application.

I am not sure what exactly is your use case but invalidating token on every request can cause usability issues.

Invalidate CSRF Token

Accepted Solutions (1)

Accepted Solutions (1)

Answers (1)

Answers (1)