Notes about caching pages with a CSRF Form #4141
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,48 @@ | ||
| .. index:: | ||
| single: Cache; CSRF; Forms | ||
|
|
||
| Caching Pages that Contain CSRF Protected Forms | ||
| =============================================== | ||
|
|
||
| CSRF tokens are meant to be different for every user. This is why you | ||
| need to be cautious if you try to cache pages with forms including them. | ||
|
|
||
| For more information about how CSRF protection works in Symfony, please | ||
| check :ref:`CSRF Protection <forms-csrf>`. | ||
|
|
||
| Why Reverse Proxy Caches do not Cache these Pages by Default | ||
| ------------------------------------------------------------ | ||
|
|
||
| There are many ways to generate unique tokens for each user but in order get | ||
| them validated when the form is submitted, you need to store them inside the | ||
| PHP Session. | ||
|
|
||
| If you are using Varnish or some similar reverse proxy cache and you try to cache | ||
| pages containing forms with CSRF token protection, you will see that, by default, | ||
| the reverse proxy cache refuses to cache. | ||
|
|
||
| This happens because a cookie is sent in order to preserve the PHP session open and | ||
| Varnish default behaviour is to not cache HTTP requests with cookies. | ||
|
|
||
| If you think about it, if you managed to cache the form you would end up | ||
| with many users getting the same token in the form generation. When these | ||
| users try to send the form to the server, the CSRF validation will fail for | ||
| them because the expected token is stored in their session and different | ||
| for each user. | ||
|
There was a problem hiding this comment. Yea, I like this type of description for showing the problem with caching CSRF pages There was a problem hiding this comment. Now I see that I should not say that is based on the session id, rephrasing it |
||
|
|
||
| How to Cache Most of the Page and still Be Able to Use CSRF Protection | ||
| ---------------------------------------------------------------------- | ||
|
|
||
| To cache a page that contains a CSRF token you can use more advanced caching | ||
| techniques like `ESI`_ fragments, having a TTL for the full page and embedding | ||
| the form inside an ESI tag with no cache at all. | ||
|
|
||
| Another option to be able to cache that heavy page would be loading the form | ||
| via an uncached AJAX request but cache the rest of the HTML response. | ||
|
|
||
| Or you can even load just the CSRF token with an AJAX request and replace the | ||
| form field value with it. | ||
|
There was a problem hiding this comment. would you have an example for this? it would mean not rendering the csrf hidden form element, and do an ajax call to retrieve the current csrf token? There was a problem hiding this comment. Well, either get the full form markup, just the hidden field markup or even just the token string via an uncached AJAX request. It may be tricky to explain it with words and make it clear for someone who is not familiar with all these concepts... There was a problem hiding this comment. i think the symfony code example would be helpful. how do i render the form (no i think a closely related problem to what we discuss here is how to make sure a session is only present on requests that actually need it (csrf ajax request). is there a way on symfony side to prevent the session from being started, and to unset the cookie right away after successful form submission? or do you use varnish config with knowledge of which url needs or needs not a cookie? (the later would seem more error prone to me) There was a problem hiding this comment. I'm ok with merging this without the example for now - we've given them 3 options, and I actually think the first 2 are probably the best (include the form in an un-cached ESI or load it via AJAX entirely). There was a problem hiding this comment. Added the latest comments and tweaks and rebased with 2.3, anything else missing @weaverryan @dbu ? |
||
|
|
||
| .. _`Cross-site request forgery`: http://en.wikipedia.org/wiki/Cross-site_request_forgery | ||
| .. _`ESI`: http://www.w3.org/TR/esi-lang | ||
| .. _`Security CSRF Component`: https://github.com/symfony/security-csrf | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
for every request?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no. If the same user (user being related to a session here, so the same guy using 2 browsers will count as 2 users) is doing 2 requests, the same token will be used (for a given token id). Otherwise it would be impossible to check tokens later