As far as i know HTML cache will generate a static html file but CSRF needs to be refreshed on each time load page so is there a way to make CSRF token work with HTML Cache?
Asked
Active
Viewed 2,188 times
2
-
it means all client side use the same token ? lol – kenken9999 Sep 03 '18 at 18:59
-
1It's php, not HTML. – sskoko Sep 03 '18 at 18:59
-
@sskoko the op is asking about page cache, so it is a cache of the html output – Devon Bessemer Sep 03 '18 at 19:15
-
Sorry if my words make you confused. My English is not good. – Brooklyn Sep 04 '18 at 06:57
1 Answers
1
Since CSRF tokens are normally included in the form input, page caching would void the ability to randomize that input per user.
You can use ajax to load data into the cached page.
One solution would be to load the entire HTML of the form through ajax into the cached page. Another solution would be to load just the token through an ajax request into the form. This may be something you can program into your site, to retrieve a token and insert into all of your forms on page load or add it to the form submission process. This article discusses implications of getting a CSRF token through an ajax request.
Devon Bessemer
- 34,461
- 9
- 69
- 95