Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[5.x] Prevent protected pages being cached #10929

Merged
merged 3 commits into from
Oct 18, 2024
Merged

[5.x] Prevent protected pages being cached #10929

merged 3 commits into from
Oct 18, 2024

Conversation

duncanmcclean
Copy link
Member

@duncanmcclean duncanmcclean commented Oct 10, 2024
edited
Loading

This pull request fixes an issue where protected pages would be staticly cached, unless manually excluded in the static_caching.php config file.

Closes statamic/ideas#190.

@duncanmcclean duncanmcclean mentioned this pull request Oct 10, 2024
Merged
@jasonvarga jasonvarga merged commit 35e57bc into 5.x Oct 18, 2024
17 checks passed
@jasonvarga jasonvarga deleted the prevent-protected-pages-from-being-cached branch October 18, 2024 17:43
@daun
Copy link
Contributor

daun commented Oct 25, 2024

@duncanmcclean Is there a way of reverting to the previous behavior if required? I'm currently relying on caching protected pages in a project. There's a lot of them and the server is really slow :(

@jasonvarga
Copy link
Member

We could, but you're aware of the issue this was fixing, right? They become unprotected once cached.

@daun
Copy link
Contributor

daun commented Oct 25, 2024
edited
Loading

@jasonvarga In fact, I wasn't aware. That definitely sounds like something to avoid at all cost. I need to check real quick if the site in question requires a fix on our end in this case 🤠 Looks like it.

The best strategy for caching protected pages would probably be namespacing the cached pages by the user or login state, a bit like the {{ cache scope="user" }} tag would.

@jasonvarga
Copy link
Member

Definitely. I'm sure there's an feature request open already to support that.

@duncanmcclean
Copy link
Member Author

Definitely. I'm sure there's an feature request open already to support that.

There is - go and give statamic/ideas#1234 a 👍.

@simonworkhouse
Copy link
Contributor

This is a particularly nasty breaking change for us and it did not become apparent until production response times started triggering alerts.

We would greatly appreciate the ability to configure whether or not to allow caching for "protected" pages.

@duncanmcclean
Copy link
Member Author

So you'd prefer for protected pages to be unprotected after the first visit?

@simonworkhouse
Copy link
Contributor

Not by default, no, but at least a mechanism for one to control whether or not they should be, ideally controlled by the static cacher itself.

In our use-case we have a custom static cacher which utilises cache tags and is aware of which version of the cached response to deliver to the user.

Implementing a clean work-around would be simple enough if it wasn't for methods in the Statamic\StaticCaching\Middleware\Cache middleware having been declared private. I'd also recommend reconsidering the use of private as it's very common for middleware to be extended.

@duncanmcclean
Copy link
Member Author

Implementing a clean work-around would be simple enough if it wasn't for methods in the Statamic\StaticCaching\Middleware\Cache middleware having been declared private. I'd also recommend reconsidering the use of private as it's very common for middleware to be extended.

If it would make it easier to workaround, then feel free to submit a PR to make it public or protected instead.

In an ideal world, we would add proper support for caching protected pages but we haven't got there yet.

This PR just fixes it for now as it's a potential security issue for some.

@antonhedling
Copy link

antonhedling commented Nov 18, 2024
edited
Loading

Just want to comment and say that this change absolutely murdered our prod due to the fact that we had:

protect: 'null'

stored in most of our .md-files, since I guess this is how it was stored back in the day. This resulted in a string "null"-value that was considered truthy and therefore no page was cached. Just in case someone else had to spend hours debugging performance issues lately...

@kingsven kingsven mentioned this pull request Dec 3, 2024
Closed
@simonworkhouse
Copy link
Contributor

I have submitted a PR that adds support for allowing protected pages in the static cache via configuration and/or custom protectors #11212

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasonvarga jasonvarga jasonvarga approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Ability to disable half measure / app static caching on protected pages
5 participants
@duncanmcclean @daun @jasonvarga @simonworkhouse @antonhedling