Session cache context now added to URLs with CSRF tokens in non-HTML responses

By prudloff on 22 May 2026

Change record status:

Draft (View all draft change records)

Project:

Drupal core

Introduced in branch:

Introduced in version:

Issue links:

https://www.drupal.org/node/3563538

Description:

When generating URLs that include CSRF tokens (via the _csrf_token route requirement), the GeneratedUrl object now automatically includes the session cache context. This ensures that URLs with CSRF tokens are correctly handled by Drupal's caching system and prevents incorrect caching of user-specific URLs.

This change only applies to non-HTML responses. In HTML responses the token in the URL is a placeholder that is replaced when rendering the page (to allow the page to be cached regardless of the current user).

Session cache context now added to URLs with CSRF tokens in non-HTML responses

News items

Our community

Documentation

Drupal code base

Governance of community