Problem with page cache and token - anonymous users can't vote with page caching [#481640]

Hello,
I've found that with page caching set to 'Normal' anonymous users can't vote. With previous version (1.13) and same cache everything was fine. I've made analysis of new module's code and think that problem is in form token which caches for anonymous users. When I've commented out this code in fivestar_vote() function:

if (!isset($_GET['token']) || !fivestar_check_token($_GET['token'], $path)) {
    $output .= '<xml><error>'. t('Invalid token') .'</error></xml>';
    exit($output);

Votes start to work for anonymous users. Can you offer a better solution for this problem? Because now fivestar didn't work for sites with normal cache setting and anonymous voters.

Comment	File	Size	Author
#3	fivestar_anonymous_token_check.patch	1.11 KB	quicksketch
#3

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

Jeff Burnz CreditAttribution: Jeff Burnz commented 17 June 2009 at 04:55

Title:	Problem with page cache and token	» Problem with page cache and token - anon users can't vote when cache is on
Priority:	Normal	» Critical

Anon users cannot vote on my site either, I only picked up on this from the lack of votes, so I tried to vote as anon and the vote never gets saved and no error message is returned. http://3rdworldthemes.org

I commented out the call to fivestar_check_token function in function fivestar_vote and now it works:
line 695: if (!isset($_GET['token']) /*|| !fivestar_check_token($_GET['token'], $path)*/)

I'm looking at $path in function fivestar_vote and wondering if that is the issue?

This is critical for me as I don't have logged in users and I need to use the cache.

Comment #2

beholder CreditAttribution: beholder commented 17 June 2009 at 05:34

I think problem with cached security token in vote form — for every anonymous user this token is the same, but fivestar_check_token() expect different tokens for every user. When page is cached, form token is static and equal for all users, so fivestar throws error "Invalid token". We need to rebuild this token for anonymous users (I don't think it's possible with page caching, but i'm not sure) or we need to remove this check from fivestar module code.

Comment #3

quicksketch

he/him

CreditAttribution: quicksketch commented 30 June 2009 at 22:58

Status:

Needs review

» Fixed

File	Size
fivestar_anonymous_token_check.patch	1.11 KB

I've applied the attached patch which lessens the restrictions on anonymous users. Since the page cache gives all anonymous users the same HTML output, we have to allow the same token to be accepted for all anonymous users.