Fix EZP-21991: UserHash should be cached tied to user session id, not user cookies #720
Conversation
|
Review ping @andrerom @bdunogier @dpobel @yannickroger @pspanja @gggeek |
| } | ||
|
|
||
| /** | ||
| * Checks if passed string can be considered as a session name. |
There was a problem hiding this comment.
maybe add something to the effect of "such as would be used in cookies" ?
|
A bit OT for this PR, but I do not like very much the "isAnonymous" method name, which in fact checks if user has session or not. What if anonymous users do have sessions? |
|
@gggeek This is indeed OT. Please focus on this PR review 😉 |
|
Just to clarity, this does not attempt to handle the problem with multiple siteaccesses/sessions, correct? (part 2. of the JIRA issue) I wonder if there is any limit to the cache key length, or if f.e. a checksum could be used instead? |
|
@joaoinacio Correct. |
| @@ -132,7 +132,7 @@ public function generateUserHash( Request $request ) | |||
| // We must have a session at that point since we're supposed to be connected, so HTTP_COOKIE must contain session id. | |||
| // HTTP_COOKIE header will be used as cache key to store the user hash. | |||
There was a problem hiding this comment.
This comment should be updated I guess
|
besides the comment thing, +1 |
|
+1 |
|
Aside from @dpobel's remark, +1 |
|
Updated and rebased. |
Fix EZP-21991: UserHash should be cached tied to user session id, not user cookies
https://jira.ez.no/browse/EZP-21991
This patch makes the UserHash cache key to be only bound to the user session id.
Important note
Session cookie path/domain/lifetime issue is voluntarily not addressed here and will be fixed in a different PR.