Expand my Community achievements bar.

SOLVED

Invalidate CSRF Token

Avatar

Level 2
Level 2
7/8/20 1:44:42 AM

Hi,

 

We know currently CSRF token has expiration set to 10 mins and token is generated every 5 minutes.

 

We have a requirement wherein they do not want the "CSRF Token" submitted on the POST request to be used again. In scenarios where we have multiple steps(POST requests) in a flow or when you try to replay the XHR request, it uses the same CSRF token for every form submit.

Is there any way we can invalidate the CSRF token once it is used and regenerate a new one for the subsequent requests?

 

Thanks,

Divya

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

Experience Manager

Views

1.0K

Replies

2
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Community Advisor
Community Advisor
7/8/20 4:35:36 AM

Hi @divyav15815834 ,

 

As you have mentioned expiration set to 10 mins and token is generated every 5 minutes.

It is not recommended to update OOTB CSRF functionality. 

 

We can find the CSRF token in below path:

/libs/granite/csrf/token.json

Also, default script CSRF is available in below path:

/libs/clientlibs/granite/jquery/granite/csrf/source/csrf.js

 

Both are internal area and the adobe does not recommend to override.

 

An alternative solution would be:

You can disable the CSRF token generation by initializing empty window.Granite.csrf variable wherever is not necessary if you are implementing custom CSRF.

Below piece of script help in disabling the CSRF token generation:

<script type="text/javascript">
    window.Granite = window.Granite || {};
    window.Granite.csrf = {
    initialised: true
};
</script>

Please do consider the security checklist into consideration.

 

 

 

View solution in original post

Views

951

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
2 Replies

Avatar

Correct answer by
Community Advisor
Community Advisor
7/8/20 4:35:36 AM

Hi @divyav15815834 ,

 

As you have mentioned expiration set to 10 mins and token is generated every 5 minutes.

It is not recommended to update OOTB CSRF functionality. 

 

We can find the CSRF token in below path:

/libs/granite/csrf/token.json

Also, default script CSRF is available in below path:

/libs/clientlibs/granite/jquery/granite/csrf/source/csrf.js

 

Both are internal area and the adobe does not recommend to override.

 

An alternative solution would be:

You can disable the CSRF token generation by initializing empty window.Granite.csrf variable wherever is not necessary if you are implementing custom CSRF.

Below piece of script help in disabling the CSRF token generation:

<script type="text/javascript">
    window.Granite = window.Granite || {};
    window.Granite.csrf = {
    initialised: true
};
</script>

Please do consider the security checklist into consideration.

 

 

 

Views

952

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Community Advisor
Community Advisor
7/9/20 3:00:12 PM

Hi @divyav15815834,

 

May be first try to set a very low expiration time and see the impact on your application.

 

chitra-madan_0-1594331786682.png

I am not sure what exactly is your use case but invalidating token on every request can cause usability issues.

Views

943

Replies

0
Sign in to like this content

Total Likes

Translate
Translate