Blocks #606840: Enable internal page cache by default.

This fixes the 1 failure o/t parent issue in:

  • Drupal\user\Tests\UserPasswordResetTest

Not only is it a waste of resources to cache the one-time password reset pages (because they only have an effect once and have unique URLs), it's also very strange from a usability POV: if the password reset link seems to work multiple times, but only has an effect once, then that's very confusing.

CommentFileSizeAuthor
#20 one_time_password_reset-2461105-20.patch1.42 KBjeroent
#20 interdiff-2461105-15-20.txt834 bytesjeroent
#15 one_time_password_reset-2461105-15.patch1.42 KBsivaji_ganesh_jojodae
#10 one_time_password_reset-2461105-10.patch3.62 KBcilefen
#10 interdiff-1-10.txt1.02 KBcilefen
#7 one_time_password_reset-2461105-7.patch3.6 KBcilefen
#7 interdiff-1-7.txt1 KBcilefen
#1 user_pass_reset_uncacheable-2461105-1.patch2.6 KBwim leers

Comments

wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented
Status: Active » Needs review
StatusFileSize
new user_pass_reset_uncacheable-2461105-1.patch2.6 KB
aspilicious’s picture

aspilicious commented
Status: Needs review » Reviewed & tested by the community

Sounds sane, looks OK

berdir’s picture

berdir
Primary language German
Location Switzerland
commented

Makes me wonder which of those issues we should consider as a backport for D7. Most don't make sense there, but this one might?

wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented
Issue tags: +Needs backport to D7

I didn't check, but I'd assume this is already the case in D7. I just checked user_pass_reset() (in user.pages.inc), and apparently that's not the case. Great find.

fabianx’s picture

fabianx commented

RTBC + 1

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
commented
Status: Reviewed & tested by the community » Needs work
Issue tags: +Needs tests

Given this is a legit bug fix, and it also is aiming to be backported to D7, let's get a test for this.

cilefen’s picture

cilefen commented
Status: Needs work » Needs review
StatusFileSize
new interdiff-1-7.txt1 KB
new one_time_password_reset-2461105-7.patch3.6 KB

Added a test.

cilefen’s picture

cilefen commented
Status: Needs review » Needs work

That test is for the wrong route.

The last submitted patch, 7: one_time_password_reset-2461105-7.patch, failed testing.

cilefen’s picture

cilefen commented
Status: Needs work » Needs review
StatusFileSize
new interdiff-1-10.txt1.02 KB
new one_time_password_reset-2461105-10.patch3.62 KB
wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented
Status: Needs review » Reviewed & tested by the community

Test looks great.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
commented
Status: Reviewed & tested by the community » Fixed

This issue addresses a major bug and is allowed per https://www.drupal.org/core/beta-changes. Committed 9a0cea2 and pushed to 8.0.x. Thanks!

  • alexpott committed 9a0cea2 on 8.0.x 
    Issue #2461105 by cilefen, Wim Leers: One-time password reset page...
berdir’s picture

berdir
Primary language German
Location Switzerland
commented
Version: 8.0.x-dev » 7.x-dev
Status: Fixed » Patch (to be ported)
sivaji_ganesh_jojodae’s picture

sivaji_ganesh_jojodae commented
Status: Patch (to be ported) » Needs review
StatusFileSize
new one_time_password_reset-2461105-15.patch1.42 KB

Patch for D7 attached.

  • alexpott committed 9a0cea2 on 8.1.x 
    Issue #2461105 by cilefen, Wim Leers: One-time password reset page...

  • alexpott committed 9a0cea2 on 8.3.x 
    Issue #2461105 by cilefen, Wim Leers: One-time password reset page...

  • alexpott committed 9a0cea2 on 8.3.x 
    Issue #2461105 by cilefen, Wim Leers: One-time password reset page...
fabianx’s picture

fabianx commented
Status: Needs review » Needs work

This should use:

drupal_page_is_cacheable(FALSE);

instead of setting $conf directly ...

jeroent’s picture

jeroent
Primary language Dutch
Location 🇧🇪
commented
Status: Needs work » Needs review
StatusFileSize
new interdiff-2461105-15-20.txt834 bytes
new one_time_password_reset-2461105-20.patch1.42 KB

Made changes as suggested by #19.

fabianx’s picture

fabianx commented

#20: Can you upload the a test-only patch as well, please.

I want to make sure it fails ...

You likely will need to enable page cache for it to work though ...

  • alexpott committed 9a0cea2 on 8.4.x 
    Issue #2461105 by cilefen, Wim Leers: One-time password reset page...

  • alexpott committed 9a0cea2 on 8.4.x 
    Issue #2461105 by cilefen, Wim Leers: One-time password reset page...
poker10’s picture

poker10 commented
Version: 7.x-dev » 8.0.x-dev
Status: Needs review » Fixed
Issue tags: -Needs backport to D7, -Needs tests

I think this D7 part of this issue is no longer relevant, as the cache of the user_pass_reset() form was "turned off" in: #2803921: A valid one-time login link may be leaked by the referer header to 3rd parties

The form is not cached in browser:

$form['#action'] = url("user/reset/$uid/$timestamp/$session_reset_hash/login");
// Prevent the browser from storing this page so that the token will
// not be visible in the form action if the back button is used to
// revisit this page.
drupal_add_http_header('Cache-Control', 'no-store');

And it also does not have X-Drupal-Cache header, because the user has $_SESSION['pass_reset_hash'] set and thus Drupal is adding also $_COOKIE[session_name()] for that user, which causes the part where the X-Drupal-Cache header should be set to skip.

See: _drupal_bootstrap_page_cache()

// If there is no session cookie and cache is enabled (or forced), try
// to serve a cached page.
if (!isset($_COOKIE[session_name()]) && $cache_enabled) {

Verified also by manual testing that there is no X-Drupal-Cache header on that form at all. So I think this can be closed now as fixed in D8 and thats all.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.