Contrib.social

The name query parameter to UserPasswordForm can result in lots of cache entries

Open on Drupal.org →
Created on 16 November 2016, over 7 years ago
Updated 3 April 2023, about 1 year ago

In https://security.drupal.org/node/161566, which was released in https://www.drupal.org/SA-CORE-2016-005 → , a cache context was added to the "name" query parameter on the password reset form. @catch observed:

This is going to result in a lot of cache entries. We should probably placeholder the title or set the form to max_age=0 instead.

See:

📌 Task
Status

Needs work

Version

10.1 ✨

Component
User system  →

Last updated about 13 hours ago

Created by

🇺🇸United States cilefen

Live updates comments and jobs are added and updated live.
  • Performance

    It affects performance. It is often combined with the Needs profiling tag.

  • Novice

    It would make a good project for someone who is new to the Drupal contribution process. It's preferred over Newbie.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment over 1 year ago →
    🇬🇧United Kingdom catch

    The logic around this has changed a bit since #2828724: Username enumeration via one time login route → .

    More specifically, I can't see anywhere that we actually pass the name query parameter to this form, so I'm wondering if we can just remove support for the query arg and setting the default value entirely.

  • Comment over 1 year ago →
    System Message

    The last submitted patch, 19: 2828210.patch, failed testing. View results →

  • Comment over 1 year ago →
    🇬🇧United Kingdom catch

    OK we do use it as the test coverage shows:

      $query = isset($user_input['name']) ? ['name' => $user_input['name']] : [];
        $form_state->setErrorByName('name', $this->t('Unrecognized username or password. <a href=":              password">Forgot your password?</a>', [':password' => Url::fromRoute('user.pass', [], ['query' => $query])-      >toString()]));

    From UserLoginForm::validateFinal().

  • Comment about 1 year ago →
    🇮🇳India sahil.goyal

    for avoid having lots of cache entries for the UserPasswordForm class with different values for the name query parameter. So adding cache metadata for the name query parameter after that setting the cache context to url.query_args:name and setting the cache tags will invalidate the cache when the user with the given name is updated. Not adding Interdiff as patch is following different approach.

contrib.social Blog FAQ Discussions
Production build 0.69.0 2024