Code leaked cacheability metadata

Created on 12 September 2021, almost 4 years ago
Updated 4 February 2025, 5 months ago

Problem/Motivation

Whenever I authenticate using the plugin, a warning concerning leaking cacheability metadata is written to the log:

While processing SAML authentication response, code leaked cacheability metadata. This indicates a bug somewhere (but it is hard to pinpoint where): if the same code is called in other scenarios too, it may cause fatal crashes, or bloat the render cache unnecessarily. Please investigate. Metadata: i:6;:O:37:"Drupal\Core\Render\BubbleableMetadata":4:{s:16:"*cacheContexts";a:0:{}s:12:"*cacheTags";a:0:{}s:14:"*cacheMaxAge";i:-1;s:14:"*attachments";a:0:{}}

Steps to reproduce

Use the SAML login to authenticate.

Proposed resolution

Fix metadata leak.

πŸ› Bug report
Status

Active

Version

3.3

Component

Code

Created by

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • πŸ‡ΊπŸ‡ΈUnited States rschwab

    I just started coming across this problem as of 3.10. It pops up when using a link with the 'destination' parameter, as in this twig template snippet:
    <a href="/saml/login?destination={{ path('<current>') }}">Website Login</a>

    With πŸ“Œ Correctly handle cache data instead of throwing an Exception in EarlyRenderingControllerWrapperSubscriber() Fixed maybe this isn't a problem anymore? Or rather, the problem is no longer an exception?

  • πŸ‡³πŸ‡±Netherlands roderik Amsterdam,NL / Budapest,HU

    Embarrassingly, 3.x-1.10 itself contains an error that triggered the warning and therefore should be fixed. Your issue is probably fixed with πŸ› Cacheability Metadata Leakage Error on SAML Login with Samlauth and r4032 Redirect Module Active . 8.x-3.11 is out now.

  • πŸ‡ΊπŸ‡ΈUnited States matthand Riverdale Park, Maryland

    Just reporting that I am still seeing this error, even in 3.11.

  • πŸ‡ΊπŸ‡ΈUnited States mark_fullmer Tucson

    But I would really rather that people fix their sites and post known patches here

    Yes, I can do that! I can verify the following:

    - Using Samlauth 3.11 on its own does not trigger this warning for multiple sites I tested
    - Using the Metatag module (see #6 and #8 above) does not trigger this warning, at least not with the configuration we have.
    - What *is* triggering this warning is a custom implementation of hook_user_login() that modifies the destination parameter, passing a Drupal Url object as the parameter WITHOUT SPECIFYING that the metadata should bubble:

    From Core's API, the Url::fromRoute->toString() method takes an optional parameter that defaults to FALSE:

    public function toString($collect_bubbleable_metadata = FALSE) {
    

    In the case of my custom code, this change suppressed the warning:

    /**
     * Implements hook_user_login().
     */
    function mymodule_user_login($account) {
      $param = \Drupal::request()->query->all();
      if (!$param || !isset($param['destination'])) {
        // For every user but "user 1", redirect to /dashboard upon login.
        if ($account->id() != 1) {
    -      \Drupal::service('request_stack')->getCurrentRequest()->query->set('destination', Url::fromRoute('MYMODULE.ROUTE')->toString());
    +      \Drupal::service('request_stack')->getCurrentRequest()->query->set('destination', Url::fromRoute('MYMODULE.ROUTE')->toString(TRUE)->getGeneratedUrl());
        }
      }
    }
    

    My conclusion is that for the majority of folks coming to this issue, the problem is probably in custom code that implements hook_user_login()

  • πŸ‡³πŸ‡ΏNew Zealand RoSk0 Wellington

    Thanks for the pointer @mark_fullmer!

    I did had the custom code in the hook_user_login() that did a "destination" based redirect to the Url::fromRoute()->toString(), and it did produced the warning for every log in.

    I've tried to use suggested Url::fromRoute()->toString(TRUE)->getGeneratedUrl() and it did got rid of the warning.
    That made me wonder and I started digging.

    The Url::fromRoute()->toString() bubbles metadata by default, but only if called in the render context and everything generated from the controllers is renderer with the render context that is the request that the controller is responding to. See \Drupal\Core\Render\Renderer::getCurrentRenderContext() and the comment in the \Drupal\Core\Render\MetadataBubblingUrlGenerator::bubble() method body ( provided below ):

    Bubbling metadata makes sense only if the code is executed inside a render context. All code running outside controllers has no render context by default, so URLs used there are not supposed to affect the response cacheability.

    Posting this as a reminder to myself and anyone else confused like me - if you are not rendering anything in your controller, it doesn't mean that there is no render context involved!

Production build 0.71.5 2024