@@ -10,39 +10,33 @@ need to be cautious if you try to cache pages with forms including them.
1010For more information about how CSRF protection works in Symfony, please
1111check :ref: `CSRF Protection <forms-csrf >`.
1212
13- Why Reverse Proxy Caches do not Cache these Pages by Default
14- ------------------------------------------------------------
15-
16- There are many ways to generate unique tokens for each user but in order get
17- them validated when the form is submitted, you need to store them inside the
18- PHP Session.
19-
20- If you are using Varnish or some similar reverse proxy cache and you try to cache
21- pages containing forms with CSRF token protection, you will see that, by default,
22- the reverse proxy cache refuses to cache.
23-
24- This happens because a cookie is sent in order to preserve the PHP session open and
25- Varnish default behaviour is to not cache HTTP requests with cookies.
26-
27- If you think about it, if you managed to cache the form you would end up
28- with many users getting the same token in the form generation. When these
29- users try to send the form to the server, the CSRF validation will fail for
30- them because the expected token is stored in their session and different
31- for each user.
32-
33- How to Cache Most of the Page and still Be Able to Use CSRF Protection
13+ Why Caching Pages with a CSRF token are Problematic
14+ ---------------------------------------------------
15+
16+ Typically, each user is assigned a unique CSRF token, which is stored in
17+ the session for validation. This means that if you *do * cache a page with
18+ a form containing a CSRF token, you'll cache the CSRF token of the *first *
19+ user only. When a user submits, the token won't match the token stored in
20+ the session and all users (except for the first) will fail CSRF validation
21+ when submitting the form.
22+
23+ In fact, many reverse proxies (like Varnish) will refuse to cache a page
24+ with a CSRF token. This is because a cookie is sent in order to preserve
25+ the PHP session open and Varnish's default behaviour is to not cache HTTP
26+ requests with cookies.
27+
28+ How to Cache Most of the Page and still be able to Use CSRF Protection
3429----------------------------------------------------------------------
3530
36- To cache a page that contains a CSRF token you can use more advanced caching
37- techniques like `ESI `_ fragments, having a TTL for the full page and embedding
38- the form inside an ESI tag with no cache at all.
31+ To cache a page that contains a CSRF token, you can use more advanced caching
32+ techniques like :ref: `ESI fragments < edge-side-includes >`, where you cache
33+ the full page and embedding the form inside an ESI tag with no cache at all.
3934
40- Another option to be able to cache that heavy page would be loading the form
41- via an uncached AJAX request but cache the rest of the HTML response.
35+ Another option would be to load the form via an uncached AJAX request, but
36+ cache the rest of the HTML response.
4237
4338Or you can even load just the CSRF token with an AJAX request and replace the
4439form field value with it.
4540
4641.. _`Cross-site request forgery` : http://en.wikipedia.org/wiki/Cross-site_request_forgery
47- .. _`ESI` : http://www.w3.org/TR/esi-lang
4842.. _`Security CSRF Component` : https://github.com/symfony/security-csrf
0 commit comments