Joomla caching breaks Ajax tokens

[pbass]

Hi-- I'm using ajax to handle some fancy data interactions in my Joomla site. For better security and to control access, I'm checking for a valid session token in the request at the ajax endpoint.

The problem is that the PHP view.html.php page that generates the ajax request URL with the token appears to be getting cached-- which means that any ajax request fails with an invalid token. Interestingly, this doesn't happen in Chrome.

Is there a way to direct Joomla to "nocache" a single page or view.html.php?

[Omar Ramos]

There are some ways to prevent caching of pages (there are a different options on the JED: http://extensions.joomla.org).

Not sure if you're using the Cache System Plugin in Joomla or just one of the other caching options (Conservative or Progressive), but recently I took a different approach with the Cache System Plugin (since it normally does a full cache of EVERY page on the site, which is not usually what you want, unless you have a static site).

If you're using Google Analytics on your site you may notice that only 10-20 of your pages make up the bulk of the traffic to your site (in my case the homepage was 65-70% of the total). So I only wanted to specifically cache those pages and I put together a plugin to do that which you can grab for free here:

http://www.orware.com/downloads/ (it's the plgSystemHomepageCache one).

It might fit your needs, but if it doesn't I know there's one on the JED (I believe it's called CacheControl that I've used in the past with success for what you described).

-Omar

--
You received this message because you are subscribed to the Google Groups "Joomla! General Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-gene...@googlegroups.com.
To post to this group, send an email to joomla-de...@googlegroups.com.
Visit this group at http://groups.google.com/group/joomla-dev-general?hl=en-GB.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Matt Thomas]

I'm not sure if this will help or not, but I have been working on an Ajax solution for Joomla and documented a tip at https://github.com/betweenbrain/Joomla-Ajax-Interface/wiki/Tips-and-tricks that may help dealing with the cache issue.

Best,

Matt Thomas

Founder betweenbrain™

Lead Developer Construct Template Development Framework

Phone: 203.632.9322
Twitter: @betweenbrain

Github: https://github.com/betweenbrain

[pbass]

Thanks Matt and Omar--

I have tried using the random datetime as a url param, which is effective for getting a non-cached version of the javascript data.

The problem however is in the actual token, since it must be generated in the PHP page (in the view). If this PHP page is served from the cache, then the token is naturally wrong.

I'm just wondering if there's a "best practice" way to handle this, rather than having to install third party cache plugins.

Please see below:

// view.html.php
$script = "var ajaxurl = 'index.php?task=ajaxFunction&".JFactory::getSession()->getFormToken()."=1';"; // <-- this value, the token, is cached! 
$document->addScriptDeclaration($script);

// ajax.js
var request = new Request.JSON({
    url: ajaxurl,
    onException: function(headerName, value) {
        // etc.
    }
});

// controller
public function ajaxfunction()
{
    JRequest::checkToken('get') or die( 'Invalid Token!' );
    // do other stuff
}

[pbass]

Still haven't been able to resolve this-- I was hoping some of the Joomla experts could advise how they use tokens in ajax requests? I can't find a way to set a token in the javascript request that doesn't get cached. This thread on SO helped, but still doesn't work in all cases, and it doesn't seem like the "right" way to handle this anyway.

http://stackoverflow.com/questions/16947302/session-tokens-in-php-being-cached-by-joomla

Can someone provide an example of using joomla tokens in an ajax request?

Thanks

[Tim Kramer]

Thanks Jurian-- 

however, I'm failing to understand how and why the tokens are being cached at all. Should the Joomla cache ignore tokens? I have tried moving the token into the controller like this:

$app->input->set('myapp_token', $session->getToken(true));

which should force a new token each time the page is loaded, correct?

However, when I then dump the token in the view:

var_dump($app->input->get('myapp_token'));

it's the same between two different browsers and sessions-- so the token and controller is being cached, correct? Is there no way in Joomla to prevent a view from being cached? Is there no "accepted" way in Joomla to handle tokens so they won't be cached?

The same issue happens if I store the token in JSession-- isn't JSession using cookies? I don't really follow why the JSession would also return the cached value from a cookie request. 

On Monday, June 17, 2013 12:14:41 PM UTC-7, Jurian Even wrote:

I btw do check for a token but that code is a bit embedded in the extension. You'll add the token to the AJAX url http://....&yourtoken=1. Then at the PHP side you check for this token if it's 1.

[Tim Kramer]

Hi Jurian-- 

Are you suggesting that I create my own token check routine for my component rather than using the Joomla core token check?

We've tried several popular cache control plugins and tried setting them to disregard the pages in question, but they don't seem to work. I guess I'm just wondering (still) if there's any "standard" way to handle form tokens in Ajax on Joomla.

Thanks

On Wednesday, July 3, 2013 2:25:15 PM UTC-7, Jurian Even wrote:

If you enable the Joomla cache, the content is being cached and your var_dump doesn't represent the current value but the value which was calculated when the page was shown when it was cached. (Ok the Joomla caches behave differently, but just to make my point).

I don't think the Joomla cache should specifically search for tokens and I'm aware of the issue. The only fix I'm aware of is disabling the Joomla cache for the specific page with a cache control plugin (see JED). If someone knows a better solution, please let us know.

Btw I don't recommend to pollute the input variable with your token. You can use a function in your extension and calculate it within your extension or use a constant for it (DEFINE ...). Also if the token would change for every page refresh, how would you be able to check the token? It has to remain constant for a session. Indeed if you view it with a different browser, you'll have a different session and the token should change. But that couldn't happen decently when you cache that content.

Op woensdag 3 juli 2013 18:56:39 UTC+2 schreef Tim Kramer het volgende:

[Tim Kramer]

Hi Jurian-- thanks again for staying with me.

I used a really ugly hack where I output an actual form token into the rendered page using JFactory::getSession()->getFormToken(); -- then in the javascript grab the value of this form input to post with the Ajax vars. 

However, even this approach doesn't work reliably on all browsers.

On Monday, July 8, 2013 11:13:48 PM UTC-7, Jurian Even wrote:

Hi TIm,

>> Are you suggesting that I create my own token check routine for my component rather than using the Joomla core token check?

Never mind regarding that $app->input issue, of course you'll need to get it from the input when you're using AJAX.

Also it's better to use the form token, there are plenty examples in the Joomla source code:

JFactory::getSession()->getFormToken();

JSession::checkToken() or jexit(JText::_('JINVALID_TOKEN'));

This cache control plugin works, but is only J2.5 compatible:

http://extensions.joomla.org/extensions/core-enhancements/performance/cache/17783

I don't think the System - Cache plugin could be managed with this plugin, I didn't test that.

>> I guess I'm just wondering (still) if there's any "standard" way to handle form tokens in Ajax on Joomla.

There's another topic where betweenbrian and some others are working on a new "standard" and easy Joomla AJAX way:

https://groups.google.com/forum/?hl=nl&fromgroups#!topic/joomla-dev-general/i1syYWshGsY