Problem/Motivation

On a project using just one component (the image hotspot component), we noticed anonymous user sessions were being generated, which essentially disables caching for the site.

This code in getGenericH5PIntegrationSettings is called, regardless of whether components will use those ajax callback urls:

   // Create AJAX URLs
    $set_finished_url = Url::fromUri('internal:/h5p-ajax/set-finished.json', ['query' => ['token' => \H5PCore::createToken('result')]])->toString(TRUE)->getGeneratedUrl();
    $content_user_data_url = Url::fromUri('internal:/h5p-ajax/content-user-data/:contentId/:dataType/:subContentId', ['query' => ['token' => \H5PCore::createToken('contentuserdata')]])->toString(TRUE)->getGeneratedUrl();
    $h5p_url = base_path() . self::getRelativeH5PPath();

and the \H5PCore::createToken('contentuserdata') is what initiates the anonymous user session.

Proposed resolution

Potential fixes include:

  • Make anonymous session a configuration option
  • If the anonymous session option isn't enabled, only generate those callbacks for authenticated users

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

Comments

jhedstrom created an issue. See original summary.

daniel kulbe’s picture

daniel kulbe
he/him
Primary language German
Location Berlin
commented

I agree, no anonymous session should be created, as this will disable the page cache for anonymous users.
I propose a solution to use a cookie instead.

daniel kulbe’s picture

daniel kulbe
he/him
Primary language German
Location Berlin
commented

Because this is a issue of the core library, I opened an issue on GitHub as well.

baikho’s picture

baikho commented
Related issues: +#3167652: Session cookies set on node view which bypass cache for anonymous user