[cookbook][cache] How to cache pages containing form with csrf token #1216

yosmanyga opened this Issue Apr 3, 2012 · 8 comments


None yet
5 participants

yosmanyga commented Apr 3, 2012

No description provided.


wouterj commented Jan 22, 2013

@weaverryan should get a doc request label.


gunnarlium commented Dec 14, 2013

As the CSRF token is private to each user, I don't think it makes sense to cache these pages.

I also believe CSRF tokens by necessity will always be stored in the session, and Varnish (and other similar proxies) must either ignore cookies or not cache pages with cookies.

If the whole page is expensive to generate, I suppose you might attempt to load the form (or even just the token field) with through ESI, but I'm not sure I would recommend that -- at least not highly enough to create a cookbook entry :).


ricardclau commented Aug 7, 2014

I know this is a very old issue but I would like to add my thoughts to it since it can be misleading and I also think that this should be closed

Looking at how the CSRF tokens are generated:

    public function generateCsrfToken($intention)
        return sha1($this->secret.$intention.$this->getSessionId());

Of course, you can add your own provider and return a plain hardcoded string but this is not my point and it would break the CSRF token purpose

Anyway, the tokens depend on the session_id which is unique per user / session. And caching such pages would effectively cause that the GET request to render the form gives you back a cached response (thus sending the same CSRF token for many users) and the POST request would actually fail because it would validate that token with the user session id.

This is an issue to many web applications when you put caching in place and this is why some high traffic web applications send a cached response for the static content but all the user interaction widgets are generated via uncached AJAX requests or similar techniques.

Hope this makes sense

Thoughts on this @wouterj @weaverryan @gunnarlium @yosmanyga ?


weaverryan commented Aug 13, 2014

@ricardclau What you're saying makes good sense. What do you propose? Do you think nothing needs to be said? Or should we have a small cookbook entry about this (that basically says don't cache them or load them with AJAX)?


ricardclau commented Aug 13, 2014

Well, this is one of those cases not related to Symfony2 itself but to how some technology + Symfony works. There are many opinions on adding cookbooks about Nginx, Varnish, logrotate and other bits.

I am clearly 👎 on writing a cookbook about this and it does not complement http://symfony.com/doc/current/cookbook/cache/varnish.html but maybe we could add a note on http://symfony.com/doc/current/cookbook/security/csrf_in_login_form.html

Anyway, not sure about it, but if you think it can be useful, I can work on it :)


gunnarlium commented Aug 13, 2014

I think it could make sense to mention it in the "Using CSRF Protection in the Login Form" entry. Perhaps more as a warning to not cache pages with CSRF tokens, and perhaps hint at the option of using AJAX or ESI instead.


weaverryan commented Aug 16, 2014

A note makes sense to me. It would also need to be added to the form chapter of the book where we talk about CSRF.


ricardclau commented Aug 17, 2014

Waiting for your comments @weaverryan @gunnarlium @wouterj

@weaverryan weaverryan added a commit that referenced this issue Jan 4, 2015

@weaverryan weaverryan feature #4141 Notes about caching pages with a CSRF Form (ricardclau)
This PR was merged into the 2.3 branch.


Notes about caching pages with a CSRF Form

| Q             | A
| ------------- | ---
| Doc fix?      | no
| New docs?     | no
| Applies to    | all
| Fixed tickets | #1216


1bc7ef2 cache_csrf_form

weaverryan closed this Jan 4, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment