[TYPO3-dev] Caching extension output without the cHash parameter

[Elmar Hinz]

John de Stigter wrote:

> Hi,
> 
> I get that. So what I would actually have to do is:
> 
> - Exclude extension vars that don't belong there.
> - Verify values as much as possible
> 
> Gr.
> John
> 

Hi,

yes. That would be a working alternative to cHash. Coding an algorithm that
checks, that your parameters are in a set of all valid parameter
combinations. In all other cases you do some error handling that doesn't
triggers the cache.

Already the generation of the cHash is such an algorithm. By theory you
could execute the same algorithm on the receiving end and check against the
generated pool of combinations. But that could be very processor consuming
the more entries you have. 

But you don't need the whole pool of combinations. You only need to check,
if the request, would be inside that pool. So you need a second algorithm.
The danger with two different algorithms is, that you can quickly make a
mistake and they don't really fit to each other.

Subline:

The cHash way is easier to do and security tested. 

Fortunately I never needed to configure realUrl myself. I would expect that
it also hides the cHash, by "storing" it on the server side. If so, why do
you take the hard road?

Regards

Elmar