Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security question hash saved in HTTP cache #5311

Closed
fritzmg opened this issue Sep 26, 2022 · 7 comments · Fixed by #5815
Closed

Security question hash saved in HTTP cache #5311

fritzmg opened this issue Sep 26, 2022 · 7 comments · Fixed by #5815
Assignees
@ausi
Labels
bug
Milestone
4.13

Comments

@fritzmg
Copy link
Contributor

fritzmg commented Sep 26, 2022
edited

Affected version(s)

4.9+

Description

Our FormCaptcha widget outputs a hidden input field with a hash that is valid for 30 minutes. However, if the HTTP cache is enabled this hash will of course also be cached and thus for a cached response containing a form with a security question widget the form will always not validate on the first attempt, since the hash does not validate (as it's too old after being in the cache for more than 30 minutes).

Reproduction

  1. Create a form with a text field and the security question.
  2. Insert the form on a page.
  3. Enable the page cache in the settings of that page (or a parent page). Set the timeout to something larger than 30 minutes (e.g. 1 year).
  4. Disable the debug mode.
  5. Create a request in the front end to that page, so that the page is cached.
  6. After 30 minutes refresh the page again and try to send the form. You will be asked to enter the security question.
  7. Open the page in a new browser session / different browser and try to send the form. You will be asked to enter the security question.

/cc @ausi
@fritzmg fritzmg added this to the 4.9 milestone Sep 26, 2022
@ausi ausi removed the unconfirmed label Oct 1, 2022
@m-vo
Copy link
Member

m-vo commented Oct 3, 2022

A page with a form containing a security hash should probably be private in the first place, right?

@ausi
Copy link
Member

ausi commented Oct 3, 2022

A page with a form containing a security hash should probably be private in the first place, right?

I don’t think so. The hash just has to match the time slot and the captcha-field answer. Caching it for short periods of time should be OK.

@stale
Copy link

stale bot commented Dec 16, 2022

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Dec 16, 2022
@stale stale bot closed this as completed Jan 2, 2023
@fritzmg
Copy link
Contributor Author

fritzmg commented Jan 4, 2023

Should we implement an ESI fragment for this hash that can be cached independently after all then?

@fritzmg fritzmg reopened this Jan 4, 2023
@aschempp
Copy link
Member

aschempp commented Jan 6, 2023

I would prefer to modify the current page expiration to be no more than the 30min limit instead of ESI. Also, if client caching is enabled for more than 30min, ESI would not solve the problem.

@stale stale bot removed the stale label Jan 6, 2023
@fritzmg
Copy link
Contributor Author

fritzmg commented Jan 6, 2023

It must be less than 30 minutes otherwise you might not have enough time to fill out the form.

@leofeyer leofeyer added the up for discussion Issues and PRs which will be discussed in our monthly Mumble calls. label Feb 6, 2023
@ausi
Copy link
Member

ausi commented Feb 9, 2023
edited by leofeyer

As discussed in the call today, we want to make the captcha widget cacheable by getting an up-to-date hash from the server via JavaScript (with a small 5 seconds delay). The HTML itself would then not include the captcha hash and can therefore be cached.

@leofeyer leofeyer removed the up for discussion Issues and PRs which will be discussed in our monthly Mumble calls. label Feb 9, 2023
@leofeyer leofeyer modified the milestones: 4.9, 4.13 Feb 16, 2023
@ausi ausi mentioned this issue Feb 22, 2023
Merged
leofeyer added a commit that referenced this issue Mar 6, 2023
@ausi @leofeyer
Make the captcha widget cacheable (see #5815)
c6567ac 
Description
-----------

Fixes #5311

Commits
-------

7fc8cca Make the captcha widget cacheable
e1cea31 Generate the URL in the FormCaptcha class
7773702 Merge branch '4.13' into fix/captcha-http-cache
edc8b06 Merge branch '4.13' into fix/captcha-http-cache

Co-authored-by: Leo Feyer <1192057+leofeyer@users.noreply.github.com>
@leofeyer leofeyer linked a pull request Mar 6, 2023 that will close this issue
Make the captcha widget cacheable #5815
Merged
@leofeyer leofeyer closed this as completed Mar 6, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 18, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@ausi ausi

Labels
bug
Projects
None yet
Milestone
4.13
Development

Successfully merging a pull request may close this issue.

Make the captcha widget cacheable ausi/contao-contao
5 participants
@ausi @aschempp @leofeyer @fritzmg @m-vo