Drupal cache enabled, normal mode.
- I log out.
- I open a vud-enabled node with browser X. I don't click on the vud-widget, at all.
- I open the same node with different browser, also not logged in. I click the vud-widget to vote, but vote is not cast. If I wait a second and click again, the vote is registered (JS reloads the token-containing URL, I guess?).
- I click myself to another page, and then receive the Drupal message saying "oops" and so on about the vote not being cast, from the first click.
The page that I open in the second browser comes from the Drupal cache, and the token for the voting link comes from the cache too and is not generated again - so it's not valid for the other browsing session.
I understand the token is so CSRF wouldn't be possible, but it seems that with this implementation the person getting the page from cache can't vote at least on first click - and still gets the error even if the vote goes through the second click. The same token-related problem was in the 6.x-1.0-beta6 but I applied fix in comment #3 here and it worked, but that only disables the token checking for anonymous voters, so it leaves the CSRF problem, right?
I first bumped into this problem while having Boost module enabled, but it seems to be the same for the normal page cache.
Comment | File | Size | Author |
---|---|---|---|
#8 | 0001-Anonymous-voting-does-not-work-with-core-normal-cach.patch | 1.41 KB | marvil07 |
Comments
Comment #1
vesapalmu CreditAttribution: vesapalmu commentedWe are having the same issue, but with external caching. To make things even worse Vote up/down always creates a session for anonymous users. I will create a separate issue for that. However I would consider this a major issue. Even if you want to enable this for anonymous users you will definitely want to still keep your caching enabled.
Comment #2
nirad CreditAttribution: nirad commentedsubscribing. Plus 1 has the same problem (http://drupal.org/node/734558). Probably impossible to allow voting with Boost (Boost turns your content into static HTML), but anonymous voting really should work with standard page caching
Comment #3
TheInspector CreditAttribution: TheInspector commentedSubscribing. Wouldn't it solve the problem if the vote-links are fetched with ajax with the page load, so the token is correct?
Comment #4
Pushkar Gaikwad CreditAttribution: Pushkar Gaikwad commented+1, as this is indeed very big issue
Comment #5
tseven CreditAttribution: tseven commentedI'd like to see this issue fixed as well.
Comment #6
marvil07 CreditAttribution: marvil07 commentedI was investigating a little into this, but I am really not sure about how to solve it.
The real question is: Can we use a module that generate links with tokens(drupal_get_token()) when core "nomal cache" is enabled?
The problem seems to be that core "normal cache" is caching static html of the node rendered for anonymous users(not really sure about that) on cache table. So, anonymous are not getting new tokens per request, so links turn wrong after first GET of the page with the link.
If that was the case, I think we can not support normal cache(hopefully I am wrong :-p).
Comment #7
marvil07 CreditAttribution: marvil07 commentedI have just noticed the patch on the plus 1 module issue, and it has a patch that add one more parameter to the drupal_valid_token, that seems to be specially for that propose!
It seems like the same thing proposed by jari, but form another context :-)
Comment #8
marvil07 CreditAttribution: marvil07 commentedHere the patch for this, but I am not really convinced now, let's wait little for other people before committing.
Comment #10
marvil07 CreditAttribution: marvil07 commentedSince this is too-related with #672566: Compatibility with Pressflow I will duplicate this in favour of that issue, but integrating the code already there with the patch here.
Follow up there ;-)
Comment #11
ionmedia CreditAttribution: ionmedia commentedup #1124466: standart cache and plus1 module