[TYPO3-commerce] $GLOBALS['TSFE']->set_no_cache() --> bad practice --> why using it?
Ingo Schmitt
mailinglisten at i-schmitt.de
Thu Sep 6 10:37:11 CEST 2007
Franz Koch schrieb:
> Hi Ingo,
>
>> Currently there are only 3 calls to set_no_cache in pi1. These calles
>> are only done, it the given get parameter are not correct, mainly if
>> someone is trying to change the parameter by guessing.
>> We added in the last days checks if the given product uid and category
>> uid match to the selected categroy in the backend, so if these
>> parameters are not correct, we are showing the entry page for the
>> plugin and we don't want to get this page cached and indexed, since
>> already the call with the given parameter is wrong.
>
> Well - that's what the cHash is for ;) No valid cHash for the given
> piVars, no caching as far as I know.
Yes, that's how it's implemented.
>
> I also had a further look on that - isn't that the wrong way for trying
> to apply some more security? What good is it for if the parameters get
> (partly) passed to commerce and executed while the page get's not cached.
The calls to $GLOBALS['TSFE']->set_no_cache() in PI1 are only made, if
someone tries to pass wrong parameters to the Frontent-Rendering. This
happened in our installations by "brute-force" or by setting wrong links
by Editors. Without the no_cache parameter you'll have a possibility
that the wrong content is shown in the page and the parameter are cached
by realurl and the whole think gets stuck. Also, if
$GLOBALS['TSFE']->set_no_cache() is set, no indexing is made by
indexed_search.
$GLOBALS['TSFE']->set_no_cache() is only set, if the given parameter of
catUid or singeUid don't match to the given starting category uid you
have defined in TS or by flexform. Normally this should not happen and
therfore this part of the extension shouldn't be called.
So why bother on this issue concerning wrong parameters?
> I think a much more secure way would be to enforce cHash parameters on
> every occasion. I found for example some places where commerce simply
> builds links with 'no_cache' for various things like:
>
> - clear Basket link
> - last product url
> - link from basket to checkout
>
> and maybe some other places I can't remember anymore. As Peter Niederlag
> confirmed: "USER_INT's are definitly never cached within TYPO3."
>
> So I recommend to NOT use any links using no_cache, but strictly
> recommend to use cached links with a cHash, as THIS ensures secure link
> parameters and also provides the TYPO3 security mechanisms for cHash
> handling.
>
> If the cHash doesn't match - simply clear EVERY piVar. That would be
> more secure IMHO. Or have I missed something? Would be good if a cHash
> expert could confirm.
In these cases I'll step into the code and have a look at it. last
product url seams to be easy, link from basket to checkout is clear
after Peters posting. Concerning the clear basket link i have to
investigate further, since I must be shure, that the baskethash is
cleared also, to have not the wrong content of the basket cached.
Regards
Ingo
>
> --
> Kind regards,
> Franz Koch
Mit freundlichen Gruessen
--
Ingo Schmitt mailto:is at marketing-factory.de
Marketing Factory Consulting GmbH http://typo3.marketing-factory.de/
Content Management mit Typo3: Beratung - Schulung - Realisierung
More information about the TYPO3-project-commerce
mailing list