Pages are cached while the request policy was set to deny

Created on 4 September 2018, over 6 years ago
Updated 24 October 2023, about 1 year ago

Description

For one of our projects, we are using the persistent login module. That module implements a request policy to deny caching of pages for users that have the 'remember me' option enabled.

The moment such a user is automatically logged in, his first page ends up in the page cache.
Reason for this is that BigPipeSessionless always calls storeResponse, while the normal page cache flow, never reaches the storeResponse. Caching was already blocked on request.

I'm marking this as critical, because this combination resulted in private info shown to normal visitors.

Solution

Use the requestpolicy to check if the storeResponse method needs to be called. This way, functionality keeps in line with the core cache logic.

🐛 Bug report
Status

Fixed

Version

2.0

Component

Code

Created by

🇧🇪Belgium nils.destoop

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024