1. Why does one use a CSRFToken? 2. Why do I receive a CSRFToken error? 3. Why don't I know this message yet?
1. Why does one use a CSRFToken?
The CSRFToken is used to prevent cross-site request forgery attacks. This attack exploits the behavior of browsers that automatically send cookies when a request is sent to its origin.
In concrete terms, this means that it is possible, in a web application such as Intrexx, to be logged into a browser tab and in a second browser tab an Ajax POST could be generated that is undesirable (malicious). This POST would normally be executed in the context of the user and thus allows the unconscious manipulation / creation / deletion of data.
Since the online update 05, Intrexx now supports the SameSite Cookies standard.
As long as not all browsers provide this support, the CSRFToken must be sent as a "secret" to prevent manipulation.
The CSRFToken in Intrexx has exactly the lifetime of a session.
2. Why do I receive a CSRFToken error? CSRFToken errors can occur when a POST error occurs on the Web. Since the CSRFToken is a security feature, it should not be seen as an error source but as an error reporting element.
The CSRFToken is queried first, so even with a simple Java script error on the web this error message may already appear. So please check if there were any other errors in portal.log at this time and also check the reported portal page. In the portal.log you will also receive the corresponding GUID of the application and the GUID of the affected page.
This error is justified if, for example, the user session in a browser tab has expired and you then try to continue working with the portal in a second browser tab.
If you receive a CSRFToken error on the Web, you must check in each individual case what it is actually about. The Browser Development Console can also help you to do this.
You should check the following:
- Will there be another error during this time? Check the portal.log and the browser console.
- Does the affected user work with several browser tabs? This should be avoided as it often leads to a CSRFToken. In this case you can only counteract with a higher session timeout. A higher session timeout can then also lead to further errors. We therefore recommend not working with several browser tabs and to configure a session timeout of at most 8 hours.
3. Why don't I know this message yet?
The CSRFToken is a new feature of the Intrexx 8.0 version, so you haven't received these messages yet.