Details
-
Improvement
-
Resolution: Done
-
Neutral
-
None
-
None
-
None
-
None
Description
Not sure where exactly to place this, but it there's a hole that is easy to get yourself in for all developers and it's tough to discover when you are when it happens, so it should probably be mentioned/linked from multiple places.
--------
When developing web pages templates, one needs to use various inputs such as content , language, request parameters or user information when authenticated. For all those attributes, Magnolia takes care and includes them in the cache headers to ensure unique cache entries are generated for all variants of the attributes that occur.
Sometimes however it is necessary to also use more exotic or less obvious variables to steer generated html. It might be certain header values or date/time or other input. When using such more exotic parameters, it is necessary for developers to consider impact of the input on cache validity to prevent web cache poisoning.
Imagine using referer (yes, the name is misspelled; see the spec) header to change the teaser image link on the page. Once this is rendered, by default, the result is cached and is then used for all other incoming requests (as long as cache entry is valid), regardless or their referer header. Depending on the content that is rendered it might be issue or not, but again imagine someone finds a way to pass malicious content through such referer header which then gets rendered for all incoming requests that come trusting to get your content. This is what is called Web Cache Poisoning.
To prevent the issue, it is necessary for developer to consider all the input that goes into rendering the response and where it comes from. And if such input is originating from the request, it needs to be either
- included in the cache key to allow Magnolia to generate independent cache entry from it or
- component rendering such content needs to be marked as dynamic and excluded from the cache (see DPC for more details)
- whole page needs to be excluded from the cache.
Checklists
Attachments
Issue Links
- mentioned in
-
Page Loading...