Contrib.social

Cache context/stuck Task Menu on SSO user

Open on Drupal.org β†’
Created on 22 August 2025, about 1 month ago

Problem/Motivation

Hi, we are having an issue with missing route and roles cache context on SSO users that match an existing Drupal user.
Basically the tags are Ok. When that happens, and the user is redirected to its /user/ID page, the Primary/secondary Task Blocks get stuck for every other user across the site bc the Cache variation related to Context is basically useless. Even the Home Page shows that user's USER edit/activity etc for any other user.

A bit of background. Running latest (as of today) Drupal 10.5.x, PHP 8.3 (which is quite aggressive on caching) and proper READ_COMMITTED for the DB, caching managed via REDIS. Latest release 3.11 of this module. SAML config is a following

-Login/User: "Attempt to link SAML data to existing Drupal users". True for both email and name, we had a few Roles there (except Admin)
- User Roles: we had basically a complete "unassign" for every role, a single Unconditional Role, and then SAML attribute based value Conversions (all of the working)

This does not happen all the time and it is hard to reproduce, but we had it twice this week. The Redis report shows that the Tasks are properly variating... (means no external code is removing context ... which is not the same as "context" value was present)

"entity_view:block:themename_primary_local_tasks: 1876 (route, url.query_args, user.roles, user, user.roles:authenticated)"

Clearing caches, or re-saving Block layout solves the problem

I suspect a race condition (DB?), when the user gets the Roles Unassigned and then re-assigned and when the /user landing page is rendered there are missing context values. But it might be also about a missing route during the cache assignment process?

Others (not for this module) have reported similar issues here https://www.drupal.org/forum/support/module-development-and-code-questio... β†’

Steps to reproduce

Very hard. And once it triggers it is very hard to actually debug cache ability with our actually clearing caches (no hook will run until you do so)...

Proposed resolution

I have none yet. Silly ideas: One could maybe force, for the redirect page, a one time "no cache" (cache kill switch) ?
Basically e.g alter via adding an extra context (but on large site with hundreds of users that would be really silly)
Or maybe check there, if the current route is set, and all the extra data is present and only act on e.g setting caching time to 0? (once?)

yourmodule_menu_local_tasks_alter(&$data, $route_name, RefinableCacheableDependencyInterface &$cacheability) {
$cacheability->addCacheContexts(['user']);
}

has anyone else seen this behavior? Thanks

πŸ› Bug report
Status

Active

Version

3.11

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States diegopino

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @diegopino
  • Comment about 1 month ago β†’
    πŸ‡³πŸ‡±Netherlands roderik Amsterdam,NL / Budapest,HU

    Login (after coming back from the IdP) is done during a POST request to /saml/acs / SamlController::acs() This request / method

    • is not supposed to build any content at all
    • returns a RedirectResponse. After that, it is up to Drupal what happens - outside the scope of samlauth.

    I am not saying that samlauth definitely cannot do anything about your issue... Just that it does not seem likely to me, at first sight. It doesn't seem likely to me, to be a race condition on unassigning/reassigning roles, because no blocks should be getting built during the request. Unless you are doing something on e.g. hook_user_login() that should probably be done somewhere else.

    If you explore a hook_menu_local_tasks_alter() fix, please check during which request it gets executed. My guess is it should be the GET request to /user/ID, during which any trace of samlauth's actions has already vanished, the user should be newly loaded with its new roles, etc.

    Given the forum issue you have linked, it's probably useful to debug this and report on it. I just don't have an idea on how we can help here in this module's queue.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024