Problem
If a user visits a page anonymously (and anonymous caching is enabled), they may receive a cached anonymous page with an associated ETag. If they then authenticate externally and return to the same page, drupal will validate the existing cached page (via ETag) during the bootstrap 'page_cache' phase (very early in the page lifecycle). The only hook that may be called during page cache validation is hook_boot() (and then only if 'page_cache_invoke_hooks' is enabled, which it is by default). The external validation has set the webserver authentication variables, but the current hook_boot() doesn't actually prevent the anonymous cached page from being verified by drupal (http status 302).
Solution
hook_boot() should detect caches when a cached page is being served to an externally authenticated user, and force the page to reload to force the web browser to retrieve a fresh copy of the page. However, sometimes drupal will force an authenticated user to logout (for example in maintenance mode when the user doesn't have a role with access). To prevent the reloads from looping, a very short lived tracking cookie (60 seconds?) can be used to check if a reload has been attempted for the specific user recently, and skip repeated reloads.
This is subtly different than Issue 2154059 in that an anonymous page is shown to an authenticated user, not the reverse. It does, however, also fix that issue in a simpler way (by never serving authenticated pages as cached).
Comment | File | Size | Author |
---|---|---|---|
#1 | webserver_auth-cache-busting-2308947.patch | 3.45 KB | sshambar |
Comments
Comment #1
sshambar CreditAttribution: sshambar commentedAttaching patch to force reload of cached pages when external authentication is detected.
Also disables caching of authenticated pages.
Comment #2
sshambar CreditAttribution: sshambar commentedTo reproduce the bug in existing code:
To test the patch:
Repeat steps above... Last step should correctly show the authenticated page without a need to reload the page.
Comment #3
sshambar CreditAttribution: sshambar commentedMerged into dev branch, thanks!