Drupal cache enabled, normal mode.

  1. I log out.
  2. I open a vud-enabled node with browser X. I don't click on the vud-widget, at all.
  3. I open the same node with different browser, also not logged in. I click the vud-widget to vote, but vote is not cast. If I wait a second and click again, the vote is registered (JS reloads the token-containing URL, I guess?).
  4. I click myself to another page, and then receive the Drupal message saying "oops" and so on about the vote not being cast, from the first click.

    5. The page that I open in the second browser comes from the Drupal cache, and the token for the voting link comes from the cache too and is not generated again - so it's not valid for the other browsing session.

    I understand the token is so CSRF wouldn't be possible, but it seems that with this implementation the person getting the page from cache can't vote at least on first click - and still gets the error even if the vote goes through the second click. The same token-related problem was in the 6.x-1.0-beta6 but I applied fix in comment #3 here and it worked, but that only disables the token checking for anonymous voters, so it leaves the CSRF problem, right?

    I first bumped into this problem while having Boost module enabled, but it seems to be the same for the normal page cache.

CommentFileSizeAuthor
#8 0001-Anonymous-voting-does-not-work-with-core-normal-cach.patch1.41 KBmarvil07
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

vesapalmu’s picture

vesapalmu CreditAttribution: vesapalmu commented
Priority: Normal » Major

We are having the same issue, but with external caching. To make things even worse Vote up/down always creates a session for anonymous users. I will create a separate issue for that. However I would consider this a major issue. Even if you want to enable this for anonymous users you will definitely want to still keep your caching enabled.

nirad’s picture

nirad CreditAttribution: nirad commented

subscribing. Plus 1 has the same problem (http://drupal.org/node/734558). Probably impossible to allow voting with Boost (Boost turns your content into static HTML), but anonymous voting really should work with standard page caching

TheInspector’s picture

TheInspector CreditAttribution: TheInspector commented

Subscribing. Wouldn't it solve the problem if the vote-links are fetched with ajax with the page load, so the token is correct?

Pushkar Gaikwad’s picture

Pushkar Gaikwad CreditAttribution: Pushkar Gaikwad commented

+1, as this is indeed very big issue

tseven’s picture

tseven CreditAttribution: tseven commented

I'd like to see this issue fixed as well.

marvil07’s picture

marvil07 CreditAttribution: marvil07 commented
Title: Anonymous voting does not work with cache » Anonymous voting does not work with core normal cache

I was investigating a little into this, but I am really not sure about how to solve it.

The real question is: Can we use a module that generate links with tokens(drupal_get_token()) when core "nomal cache" is enabled?

The problem seems to be that core "normal cache" is caching static html of the node rendered for anonymous users(not really sure about that) on cache table. So, anonymous are not getting new tokens per request, so links turn wrong after first GET of the page with the link.

If that was the case, I think we can not support normal cache(hopefully I am wrong :-p).

marvil07’s picture

marvil07 CreditAttribution: marvil07 commented

I have just noticed the patch on the plus 1 module issue, and it has a patch that add one more parameter to the drupal_valid_token, that seems to be specially for that propose!

It seems like the same thing proposed by jari, but form another context :-)

marvil07’s picture

marvil07 CreditAttribution: marvil07 commented
Status: Active » Needs review
FileSize
0001-Anonymous-voting-does-not-work-with-core-normal-cach.patch1.41 KB

Here the patch for this, but I am not really convinced now, let's wait little for other people before committing.

Status: Needs review » Needs work

The last submitted patch, 0001-Anonymous-voting-does-not-work-with-core-normal-cach.patch, failed testing.

marvil07’s picture

marvil07 CreditAttribution: marvil07 commented
Status: Needs work » Closed (duplicate)

Since this is too-related with #672566: Compatibility with Pressflow I will duplicate this in favour of that issue, but integrating the code already there with the patch here.

Follow up there ;-)

ionmedia’s picture

ionmedia CreditAttribution: ionmedia commented

up #1124466: standart cache and plus1 module