Issue when setting meta tags in the cache

When using logintoboggan and metatag, you can end up with pages that show the wrong metatags due to caching the "access denied" information. When the user logs in, the cached metatag information is used so the page title, shortlink, and canonical URL are incorrect.

Steps to Reproduce

  1. Install metatag and logintoboggan
  2. Configure site 403 page so to use the logintoboggan access denied page and to show the login form when getting a 403 error
  3. Logout
  4. Clear the cache
  5. Go to a restricted page - you should see the 403 error and the login form
  6. Login
  7. Note the page title, shortlink and canonical url shows the access denied information in the metatags

Potential fix

If the page is the 403 page, don't cache meta tags.

Issue when getting meta tags from cache

There is also a problem when getting information from the cache that could potentially expose sensitive information such as user names. In this scenario, you end up seeing the cached metatags when you are on an access denied page.

Steps to reproduce

  1. Install metatag and logintoboggan
  2. Configure site 403 page so to use the logintoboggan access denied page and to show the login form when getting a 403 error
  3. Clear the cache
  4. Go to a restricted page - the metatags should be correct for the page
  5. Logout
  6. Go to the restricted page - you should see the 403 error and the login form
  7. Note the page title, shortlink and canonical url shows the metatags from when you were logged in

Potential fix

If the page is the 403 page, don't get meta tags from the cache.

Comments

kristen pol’s picture

Issue summary: View changes

Updated issue summary.

kristen pol’s picture

Issue summary: View changes

Updated issue summary.

kristen pol’s picture

Status: Active » Needs review
StatusFileSize
new2.88 KB

Not sure this is "acceptable" or not but here's a patch.

kristen pol’s picture

Issue summary: View changes

Updated issue summary.

kristen pol’s picture

Issue summary: View changes

Updated issue summary.

kristen pol’s picture

Title: Do not cache access denied related metatags to ensure compatibility with logintoboggan » Fix issues with caching and access denied page to ensure compatibility with logintoboggan
Status: Needs review » Needs work

I just realized there is a related issue so I updated the issue summary and title. I'll need a new patch that covers both issues.

kristen pol’s picture

Issue summary: View changes

Add another related issue.

damienmckenna’s picture

Title: Fix issues with caching and access denied page to ensure compatibility with logintoboggan » Don't load data on 403 error pages (re: compatibility with logintoboggan)

Thanks for catching this bug.

It might be worthwhile to extend this to cover all 403 pages and simply not load meta tags. Also, how about removing the bin option from metatag_cache_set() entirely and just hardcode it?

Thanks Kristen!

kristen pol’s picture

Status: Needs work » Needs review
StatusFileSize
new4.89 KB

Thanks Damien :) I cleaned it up now so it doesn't get from cache or set the cache if on the 404 page.

(Updating attribution on November 23, 2015.)

dwightaspinwall’s picture

Thanks for catching this Kristen. Patch in #4 worked for me, though due to apparent complexity of the patch I'm reluctant to mark it RTBC. Also cross-posted this at #2120279: Access Denied still appears in page title after successful login due to metatag cache not being cleared as at first blush it looks like a logintoboggan issue (although it isn't).

dwightaspinwall’s picture

Issue summary: View changes

Updated issue summary.

ParisLiakos’s picture

this does not work for me.
this is what worked. instead of checking the 403 path like in #4:

  $status = drupal_get_http_header('status');
  $is_403 = $status == '403 Forbidden';
  if (!$is_403) {
    cache_set($cid, $data, 'cache_metatag');
  }

I ll roll a patch later

ParisLiakos’s picture

Title: Don't load data on 403 error pages (re: compatibility with logintoboggan) » Don't load/cache data on 403 error pages
Category: Feature request » Bug report
Issue summary: View changes

and this is not just a bug when using logintoboggan:

  1. Give authenticated users the permission to create article.
  2. Trigger the node/add/article link as anonymous
  3. Login and visit node/add/article
  4. Page title is "Access denied" instead of "Create article"
dave reid’s picture

Yeah we definitely should be checking the actual header and not the path.

damienmckenna’s picture

Issue tags: +Performance
damienmckenna’s picture

Title: Don't load/cache data on 403 error pages » Don't load/cache data on 403 & 404 error pages
Parent issue: » #2117171: Plan for 7.x-1.0-beta8 on 2013-01-15
StatusFileSize
new5.79 KB

Will this work? I've added support for 404 pages too, static cached the 403 and 404 paths (might be problematic with translated sites?), and replaced $_GET['q'] with checks against request_path() and current_path().

damienmckenna’s picture

Related issues: +#2062379: cache_metatag table grows too much.
StatusFileSize
new5.94 KB

Duh, forgot about the global $language variable.

Also, this is related to #2062379: cache_metatag table grows too much..

damienmckenna’s picture

StatusFileSize
new5.41 KB

Crazy question - what about just parsing the 'status' value from the array returned by drupal_get_http_header() instead, and changing it so that the value *is* cached but it'll only cache one record (when #2062379: cache_metatag table grows too much. is applied too), not multiples?

Status: Needs review » Needs work

The last submitted patch, 12: metatag-n2090557-12.patch, failed testing.

damienmckenna’s picture

Status: Needs work » Needs review
StatusFileSize
new7.05 KB

I was going to suggest caching the 403/404 results as the meta tags should be generic, but then forgot that URL fields are page-specific so they can't be cached.

How about this? It adds a check against drupal_get_http_header() before checking the site_403 and site_404 variables.

Status: Needs review » Needs work

The last submitted patch, 14: metatag-n2090557-13.patch, failed testing.

ParisLiakos’s picture

the check to drupal_get_http_header() is enough i think?
what is the usecase where the drupal_get_http_header is not set but the page is 403/404?

+++ b/metatag.module
@@ -1874,3 +1878,75 @@ function metatag_translate($name, $string, $langcode = NULL, $update = FALSE) {
+  $status = intval($headers['status']);
+  if ($status == 403 || $status == 404) {
+    return;

I would suggest not to rely on intval, but the exact strings:
404 Not Found
403 Forbidden

But even if you do, then you should do strict check here === and use typecasting (int) which is faster

mfb’s picture

Is there a real need to avoid caching 404 pages? 404 requests are often triggered by bots etc. and caching on these requests can actually be helpful.

damienmckenna’s picture

@mfb: Yes, until we have better 404 handling.

damienmckenna’s picture

I've added another issue related to this one: #2156261: Add a way for 403/404 pages to be customized individually

damienmckenna’s picture

How about I add a variable to let you control whether 403/404 pages are cached, and set it to "OFF" by default? That way most sites can leave it disabled, but sites that need this can enable it.

damienmckenna’s picture

This needs to be rerolled as I've moved most of the code into #2062379: cache_metatag table grows too much..

damienmckenna’s picture

Status: Needs work » Needs review
StatusFileSize
new2.69 KB

How's about this? Thanks to the work in #2062379: cache_metatag table grows too much. not much is actually needed. I've also added a variable 'metatag_cache_error_pages' that can be used to control whether the meta tags are cached on 403/404 pages, which is defaulted to not cache them (see the README.txt changes for details).

Status: Needs review » Needs work

The last submitted patch, 22: metatag-n2090557-22.patch, failed testing.

damienmckenna’s picture

Status: Needs work » Needs review
StatusFileSize
new2.79 KB

So the return array from drupal_get_http_header() doesn't always have a 'status' value.

damienmckenna’s picture

Status: Needs review » Fixed

Committed!

damienmckenna’s picture

FYI the handling of 403/404 pages went through some changes in #2156261: Add a way for 403/404 pages to be customized individually.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.