Contrib.social

Code leaked cacheability metadata

Open on Drupal.org β†’
Created on 12 September 2021, almost 4 years ago
Updated 4 February 2025, 5 months ago

Problem/Motivation

Whenever I authenticate using the plugin, a warning concerning leaking cacheability metadata is written to the log:

While processing SAML authentication response, code leaked cacheability metadata. This indicates a bug somewhere (but it is hard to pinpoint where): if the same code is called in other scenarios too, it may cause fatal crashes, or bloat the render cache unnecessarily. Please investigate. Metadata: i:6;:O:37:"Drupal\Core\Render\BubbleableMetadata":4:{s:16:"*cacheContexts";a:0:{}s:12:"*cacheTags";a:0:{}s:14:"*cacheMaxAge";i:-1;s:14:"*attachments";a:0:{}}

Steps to reproduce

Use the SAML login to authenticate.

Proposed resolution

Fix metadata leak.

πŸ› Bug report
Status

Active

Version

3.3

Component

Code

Created by

fkohrt

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment 5 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States rschwab

    I just started coming across this problem as of 3.10. It pops up when using a link with the 'destination' parameter, as in this twig template snippet:
    <a href="/saml/login?destination={{ path('<current>') }}">Website Login</a>

    With πŸ“Œ Correctly handle cache data instead of throwing an Exception in EarlyRenderingControllerWrapperSubscriber() Fixed maybe this isn't a problem anymore? Or rather, the problem is no longer an exception?

  • Comment 5 months ago β†’
    πŸ‡³πŸ‡±Netherlands roderik Amsterdam,NL / Budapest,HU

    Embarrassingly, 3.x-1.10 itself contains an error that triggered the warning and therefore should be fixed. Your issue is probably fixed with πŸ› Cacheability Metadata Leakage Error on SAML Login with Samlauth and r4032 Redirect Module Active . 8.x-3.11 is out now.

  • Comment 4 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States matthand Riverdale Park, Maryland

    Just reporting that I am still seeing this error, even in 3.11.

  • Comment 3 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States mark_fullmer Tucson

    But I would really rather that people fix their sites and post known patches here

    Yes, I can do that! I can verify the following:

    - Using Samlauth 3.11 on its own does not trigger this warning for multiple sites I tested
    - Using the Metatag module (see #6 and #8 above) does not trigger this warning, at least not with the configuration we have.
    - What *is* triggering this warning is a custom implementation of hook_user_login() that modifies the destination parameter, passing a Drupal Url object as the parameter WITHOUT SPECIFYING that the metadata should bubble:

    From Core's API, the Url::fromRoute->toString() method takes an optional parameter that defaults to FALSE:

    public function toString($collect_bubbleable_metadata = FALSE) {

    In the case of my custom code, this change suppressed the warning:

    /**
 * Implements hook_user_login().
 */
function mymodule_user_login($account) {
  $param = \Drupal::request()->query->all();
  if (!$param || !isset($param['destination'])) {
    // For every user but "user 1", redirect to /dashboard upon login.
    if ($account->id() != 1) {
-      \Drupal::service('request_stack')->getCurrentRequest()->query->set('destination', Url::fromRoute('MYMODULE.ROUTE')->toString());
+      \Drupal::service('request_stack')->getCurrentRequest()->query->set('destination', Url::fromRoute('MYMODULE.ROUTE')->toString(TRUE)->getGeneratedUrl());
    }
  }
}

    My conclusion is that for the majority of folks coming to this issue, the problem is probably in custom code that implements hook_user_login()

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024