The recipe: NoResubmit (part of default Recipe Book) creates a PHP SESSION cookie on the login form (or any form with the recipe applied via BOTCHA) before it is even submitted. This cookie, at least in most normal configurations of Varnish, causes Varnish's caching mechanism to no longer serve cached pages. This cookie is carried around with the user so the rest of their session is not cached via Varnish.

This means effected forms themselves aren't cached either which can be a significant performance concern if you get a lot of malicious bots hitting the login or register forms (and you probably do, if you need BOTCHA).

Comments

iva2k’s picture

Status: Active » Postponed (maintainer needs more info)

I read that there are two issues here:
1. Protected forms are not cached
2. User gets a cookie that makes whole session pages not cached.
Is that a fair assessment?

Issue 1 is by design. Botcha excludes each protected form from caching in order to serve unique forms (even when it is the "same form"). There is a pending development to redesign how Botcha and caching interact, which may address issue 1 for Drupal caches. I'm pretty sure that it won't help Varnish caching as the resulting forms will continue to be unique for each served form.

Issue 2 deserves a separate attention. Perhaps it can be patched to remove the cookie after it is no longer needed. I don't have bandwidth to work on it, but will review submitted patches.

chrisrcooper’s picture

Indeed, that's a fair assessment for #2 - that cookie for the form to be unique gets carried around with the user for the rest of their visit (even if they didn't attempt to use the form, just went to it).

I figured #1 would be the case, can't really have my cake and eat it too. It'd be possible to configure Varnish to ignore the Botcha cookie if it had some sort of identifier, but even if it did, you'd wind up defeating the point if the form wasn't somewhat "unique" and tied to session.

John_B’s picture

Issue summary: View changes

FWIW I have seen this problem.

I have also seen a problem where Botcha breaks ajax requests in form file upload fields, even with 'no resumbit' disabled. I am not opening a ticket on that because I am not currently able to commit more time to the issue myself.