Enabled Cache leads to "Invalid request token" #1491
Comments
|
Can you please explain how exactly I can reproduce this issue step by step? The |
|
By mentioning
|
|
Can you please check if this is the same issue? I'm getting empty |
I assume you mean the following configuration, when you say "Enable server side cache in root page":
I am unable to reproduce the problem this way. But mostly because for some reason Contao refuses to cache https://demo.contao.org/en/ I inserted the form on pages other then the |
|
Could it have something to do with being logged into the backend? I just tried the following settings on the page root
Of course added the "Contact" form to the page "Home". Submitting this in the same browser session I was being logged into the backend with it did work without any problems. Trying to submit the form in an private session it instantly responded with "Invalid request token". |
|
You need to test without being logged in. Having an active back end log in disables the shared cache. I still cannot reproduce the problem. I now instead enabled the shared cache and the private cache, inserted the contact form into https://demo.contao.org/en/content-elements.html, then made sure the page is cached and then submitted the form. |
|
I'll try to do a screencast but unfortunately the demo seems to be offline currently. Update |
the demo-page is running behind a CloudFlare reverse-proxy. I'm just guessing - but maybe that's the reason, why the demo-installation had a different behaviour than a "normal" local installation. The described problem exists not only on 4.9.0 with Contao forms. The same happened if you have a Contao Extension/Module which uses the Request-Token {{REQUEST_TOKEN}}. As with Contao forms, the very first visit leads to empty request-tokens. The only way to avoid is adding the Contao module by insert-tag with the uncached-option {{insert_module::*|uncached}}. However, TL_JQUERY is ignored with this way, which can lead to malfunctions in some Contao modules. |
|
We first noticed this problem in our own extension with 4.8. Back then the actual solution was to use the Insert-Tag instead of setting the request token using the PHP constant. What is puzzling me now is that in 4.9 I still get a new token on every page load since the cache does not work for me in 4.9 at all, but nonetheless I still receive |
|
Please be aware that the mentioned behavior of not having a
|
I did not disagree on this one. There IS a Edit: Nur für den Fall das wir hier ein Verständnisproblem haben oder mein Englisch nicht sauber war. Mit aktiviertem Cache (aktuell inklusive |
|
I was not able to reproduce this error on https://demo.contao.org/ |
@ausi I was using Chrome but the browser should really not matter... |
|
@bennyborn Can you post a screencast on how to reproduce the error on https://demo.contao.org? |
|
|
|
@asaage In your video the request token works as expected, see #1491 (comment) |
|
okay. |
|
@asaage what kind of problem are you experiencing? In your GIF there was none. |
|
@fritzmg It's the infamous invalid-request-token errorscreen. But only if the user fills out a form on the first page he visits. On subsequent requests (or on reload) i have the token in the form and the csrf cookie present and everythink works as expected. |
|
I can confirm this issue. The |
|
Still haven't found a good way to create a screencast but just recreated the issue again.
@ausi Used Firefox this time ;) |
|
This time I was able to reproduce the issue as well. |
|
I've debugged the issue and I know why this happens :) |
|
@Toflar But another point is, if the session cookie would not be set by |
|
Yeah there are actually more issues here, what I stated 8 minutes ago does not seem true. |
|
Okay, found the reason now. It's a service locator autowiring issue. The wrong token storage manager gets wired for the request token script endpoint. I'll see if I can provide a fix. |
Description ----------- | Q | A | -----------------| --- | Fixed issues | Fixes #1491 | Docs PR or issue | - If not specified explicitly, Symfony will autowire to the default CSRF token storage which is the session one :) Commits ------- 95f4dbc Fixed FrontendController using session csrf token storage instead of our own memory token storage
Description ----------- | Q | A | -----------------| --- | Fixed issues | Fixes contao/contao#1491 | Docs PR or issue | - If not specified explicitly, Symfony will autowire to the default CSRF token storage which is the session one :) Commits ------- 95f4dbcb Fixed FrontendController using session csrf token storage instead of our own memory token storage
Affected version(s)
Contao 4.9.0
Description
When the Cache is enabled and the user tries to submit a form, Contao will throw an
Invalid request tokenerror even though the token is kept updated by/_contao/request_token_script.This behaviour can be reproduced on demo.contao.org (enable cache in root page, add "Contact" form to "Home"-page, try to submit the form).
Also I had no success getting the cache to actually work at all with 4.9 (even on demo.contao.org).
Slow response times and response headers always state
contao-cache: miss.The text was updated successfully, but these errors were encountered: