Issue when setting meta tags in the cache
When using logintoboggan and metatag, you can end up with pages that show the wrong metatags due to caching the "access denied" information. When the user logs in, the cached metatag information is used so the page title, shortlink, and canonical URL are incorrect.
Steps to Reproduce
- Install metatag and logintoboggan
- Configure site 403 page so to use the logintoboggan access denied page and to show the login form when getting a 403 error
- Logout
- Clear the cache
- Go to a restricted page - you should see the 403 error and the login form
- Login
- Note the page title, shortlink and canonical url shows the access denied information in the metatags
Potential fix
If the page is the 403 page, don't cache meta tags.
Issue when getting meta tags from cache
There is also a problem when getting information from the cache that could potentially expose sensitive information such as user names. In this scenario, you end up seeing the cached metatags when you are on an access denied page.
Steps to reproduce
- Install metatag and logintoboggan
- Configure site 403 page so to use the logintoboggan access denied page and to show the login form when getting a 403 error
- Clear the cache
- Go to a restricted page - the metatags should be correct for the page
- Logout
- Go to the restricted page - you should see the 403 error and the login form
- Note the page title, shortlink and canonical url shows the metatags from when you were logged in
Potential fix
If the page is the 403 page, don't get meta tags from the cache.
Comments
Comment #0.0
kristen polUpdated issue summary.
Comment #0.1
kristen polUpdated issue summary.
Comment #1
kristen polNot sure this is "acceptable" or not but here's a patch.
Comment #1.0
kristen polUpdated issue summary.
Comment #1.1
kristen polUpdated issue summary.
Comment #2
kristen polI just realized there is a related issue so I updated the issue summary and title. I'll need a new patch that covers both issues.
Comment #2.0
kristen polAdd another related issue.
Comment #3
damienmckennaThanks for catching this bug.
It might be worthwhile to extend this to cover all 403 pages and simply not load meta tags. Also, how about removing the bin option from metatag_cache_set() entirely and just hardcode it?
Thanks Kristen!
Comment #4
kristen polThanks Damien :) I cleaned it up now so it doesn't get from cache or set the cache if on the 404 page.
(Updating attribution on November 23, 2015.)
Comment #5
dwightaspinwall commentedThanks for catching this Kristen. Patch in #4 worked for me, though due to apparent complexity of the patch I'm reluctant to mark it RTBC. Also cross-posted this at #2120279: Access Denied still appears in page title after successful login due to metatag cache not being cleared as at first blush it looks like a logintoboggan issue (although it isn't).
Comment #5.0
dwightaspinwall commentedUpdated issue summary.
Comment #6
ParisLiakos commentedthis does not work for me.
this is what worked. instead of checking the 403 path like in #4:
I ll roll a patch later
Comment #7
ParisLiakos commentedand this is not just a bug when using logintoboggan:
Comment #8
dave reidYeah we definitely should be checking the actual header and not the path.
Comment #9
damienmckennaComment #10
damienmckennaWill this work? I've added support for 404 pages too, static cached the 403 and 404 paths (might be problematic with translated sites?), and replaced $_GET['q'] with checks against request_path() and current_path().
Comment #11
damienmckennaDuh, forgot about the global $language variable.
Also, this is related to #2062379: cache_metatag table grows too much..
Comment #12
damienmckennaCrazy question - what about just parsing the 'status' value from the array returned by drupal_get_http_header() instead, and changing it so that the value *is* cached but it'll only cache one record (when #2062379: cache_metatag table grows too much. is applied too), not multiples?
Comment #14
damienmckennaI was going to suggest caching the 403/404 results as the meta tags should be generic, but then forgot that URL fields are page-specific so they can't be cached.
How about this? It adds a check against drupal_get_http_header() before checking the site_403 and site_404 variables.
Comment #16
ParisLiakos commentedthe check to drupal_get_http_header() is enough i think?
what is the usecase where the drupal_get_http_header is not set but the page is 403/404?
I would suggest not to rely on intval, but the exact strings:
404 Not Found
403 Forbidden
But even if you do, then you should do strict check here === and use typecasting (int) which is faster
Comment #17
mfbIs there a real need to avoid caching 404 pages? 404 requests are often triggered by bots etc. and caching on these requests can actually be helpful.
Comment #18
damienmckenna@mfb: Yes, until we have better 404 handling.
Comment #19
damienmckennaI've added another issue related to this one: #2156261: Add a way for 403/404 pages to be customized individually
Comment #20
damienmckennaHow about I add a variable to let you control whether 403/404 pages are cached, and set it to "OFF" by default? That way most sites can leave it disabled, but sites that need this can enable it.
Comment #21
damienmckennaThis needs to be rerolled as I've moved most of the code into #2062379: cache_metatag table grows too much..
Comment #22
damienmckennaHow's about this? Thanks to the work in #2062379: cache_metatag table grows too much. not much is actually needed. I've also added a variable 'metatag_cache_error_pages' that can be used to control whether the meta tags are cached on 403/404 pages, which is defaulted to not cache them (see the README.txt changes for details).
Comment #24
damienmckennaSo the return array from drupal_get_http_header() doesn't always have a 'status' value.
Comment #25
damienmckennaCommitted!
Comment #26
damienmckennaFYI the handling of 403/404 pages went through some changes in #2156261: Add a way for 403/404 pages to be customized individually.