On Fri, Nov 2, 2012 at 1:31 PM, Magnus Hagander <magnus@hagander.net> wrote:
> So, one more thought. Is this going to break if the form is cached? That is,
> the original form at e.g. http://www.postgresql.org/community/ for the
> surveys is cached. That means that the CSRF token that's on the form
> actually ends up being cached. Is the CSRF token going to be valid in those
> cases, and is it actually going to protect us?
Yeah, that's true. But it should be a matter of flushing the Varnish
cache, right? There are no cache policy headers on these responses, so
browsers will generally revalidate the page.
But now that you mention it, there is another caching impact:
accessing this page causes the user's cookies to be changed, and due
to "Vary: Cookie", it will prevent the caching of any subsequent page
fetches for this user in Varnish, even on other pages (for 1 full year
by default).
Of course the above also affects any users who logged in -- since the
csrftoken cookie is served without the "secure" flag, the cookie is
also present in any non-secure requests.
Does this also impair Varnish "grace mode", when the backend server is down?
Regards,
Marti