[TYPO3-dev] set_no_cache is bad. What's next?
Steffen Kamper
steffen at dislabs.de
Mon Apr 2 10:02:18 CEST 2007
"Elmar HInz" <elmar.hinz at team.MINUS.red.DOT.net> schrieb im Newsbeitrag
news:mailman.1.1175475921.18477.typo3-dev at lists.netfielders.de...
>> Hi Elmar,
>>
>> in my example i enforced a never used cHash by adding a piVar t=time()
>> This is not a good method, but it works to get a never used cHash.
>>
>
> You get a never used cHash. That is not the purpose of the cHash system.
> You would never find the entry again, so they are useless. To find them
> you would need the identical timestamp. You would only create a self made
> dos attack.
>
>> So thinking again piVars are combination of Get and Post-Vars, so may be
>> the
>> same result with
>>
>> $markerArray['###ACTION###']=$this->pi_linkTP_keepPIvars_url($this->piVars,1);
>>
>> Now we fit the combination, by calling the form with a combination we had
>> before, we get the same cHash, and of coarse the same result page - am i
>> right?
>
> If I unserstand you right, you want to call the form twice.
>
> First to select the values in the form, to send them to the server and
> to create a new cHash action now ready to initialize caching on the second
> call. Right? People would need to hit the save button twice. Alternatively
> you could do a redirect.
>
> That would work until the DOS attack. People can send you any manipulated
> parameters on the first call. You would cache them all without limitation.
>
> Again you would undermine the security system of cHash.
>
> IMHO the system would only work:
>
> 1.) if you have only a limited number of selection combinations in the
> form, to not blow up the DB. No free text input.
>
> 2.) if you combine it with a redirect, so that you not need to hit submit
> twice.
>
> 3.) if you do a carefull security check, if the incomming parameters are
> in the set of allowd values.
>
> But I would not recommend to do so. It feels error-prone.
>
> Regards
>
> Elmar
>
Hi Elmar,
you're right, this makes no sense. All I do is loud thinking and this
approach was a shoot to nothing.
So i'm at the beginning again how to manage it.
May be the best way is to generate a search that contains all records and
cache this, in any other way prevent caching.
And there the next problem comes, this has to made manually and can't be
dynamic. It seems that the cHash Systems comes to its limit and we need that
what you suggested in this thread, an object orientated caching system.
vg Steffen
More information about the TYPO3-dev
mailing list