New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security question hash saved in HTTP cache #5311
Comments
A page with a form containing a security hash should probably be private in the first place, right? |
I don’t think so. The hash just has to match the time slot and the captcha-field answer. Caching it for short periods of time should be OK. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Should we implement an ESI fragment for this hash that can be cached independently after all then? |
I would prefer to modify the current page expiration to be no more than the 30min limit instead of ESI. Also, if client caching is enabled for more than 30min, ESI would not solve the problem. |
It must be less than 30 minutes otherwise you might not have enough time to fill out the form. |
As discussed in the call today, we want to make the captcha widget cacheable by getting an up-to-date hash from the server via JavaScript (with a small 5 seconds delay). The HTML itself would then not include the captcha hash and can therefore be cached. |
Description ----------- Fixes #5311 Commits ------- 7fc8cca Make the captcha widget cacheable e1cea31 Generate the URL in the FormCaptcha class 7773702 Merge branch '4.13' into fix/captcha-http-cache edc8b06 Merge branch '4.13' into fix/captcha-http-cache Co-authored-by: Leo Feyer <1192057+leofeyer@users.noreply.github.com>
Affected version(s)
4.9+
Description
Our
FormCaptcha
widget outputs a hidden input field with a hash that is valid for 30 minutes. However, if the HTTP cache is enabled this hash will of course also be cached and thus for a cached response containing a form with a security question widget the form will always not validate on the first attempt, since the hash does not validate (as it's too old after being in the cache for more than 30 minutes).Reproduction
/cc @ausi
The text was updated successfully, but these errors were encountered: