Problem: Enabling the page cache for anonymous users in Drupal 7 makes this module serve stale encryption keys. If this module is being used for the /user login form, it can lock out users out of the site until page cache is disabled.

Solution: An exception needs to be added in hook_init that explicitly tells Drupal not to cache the encryption key path.

I will be downloading the repository version of the module so that I can commit a patch against the DEV version.

Comments

alexander allen’s picture

StatusFileSize
new660 bytes

Patched master branch.

Thank you.

alexander allen’s picture

Status: Active » Needs review
richardp’s picture

Thank you for finding this one, Alexander. I'm surprised it hasn't come up before now.

In addition to adding the drupal_page_is_cachable(FALSE), I am going to add a bit of randomness to the URL that is used to request the keys. I do something similar to my "safer_login" module for D6, and for some reason left it off completely here.

Will be posting new releases for this soon.

Richard

richardp’s picture

Version: 7.x-1.0 » 7.x-1.1
Status: Needs review » Fixed

Okay, I added your patch as well as added some randomness to the URL in javascript-- caching problems should be fixed now. I released it as version 7.x-1.1, and the dev version should have it to when it rebuilds tonight.

I will also be making a similar change to the 6.x branch.

Thanks again!
Richard

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

Anonymous’s picture

Issue summary: View changes

Modified issue description.