[TYPO3-commerce] $GLOBALS['TSFE']->set_no_cache() --> bad practice --> why using it?

Ingo Schmitt mailinglisten at i-schmitt.de
Thu Sep 6 10:37:11 CEST 2007 

Franz Koch schrieb:
> Hi Ingo,
> 
>> Currently there are only 3 calls to set_no_cache in pi1. These calles 
>> are only done, it the given get parameter are not correct, mainly if 
>> someone is trying to change the parameter by guessing.
>> We added in the last days checks if the given product uid and category 
>> uid match to the selected categroy in the backend, so if these 
>> parameters are not correct, we are showing the entry page for the 
>> plugin and we don't want to get this page cached and indexed, since 
>> already the call with the given parameter is wrong.
> 
> Well - that's what the cHash is for ;) No valid cHash for the given 
> piVars, no caching as far as I know.

Yes, that's how it's implemented.
> 
> I also had a further look on that - isn't that the wrong way for trying 
> to apply some more security? What good is it for if the parameters get 
> (partly) passed to commerce and executed while the page get's not cached.

The calls to $GLOBALS['TSFE']->set_no_cache() in PI1 are only made, if 
someone tries to pass wrong parameters to the Frontent-Rendering. This 
happened in our installations by "brute-force" or by setting wrong links 
by Editors. Without the no_cache parameter you'll have a possibility 
that the wrong content is shown in the page and the parameter are cached 
by realurl and the whole think gets stuck. Also, if 
$GLOBALS['TSFE']->set_no_cache() is set, no indexing is made by 
indexed_search.

$GLOBALS['TSFE']->set_no_cache() is only set, if the given parameter of 
catUid or singeUid don't match to the given starting category uid you 
have defined in TS or by flexform. Normally this should not happen and 
therfore this part of the extension shouldn't be called.

So why bother on this issue concerning wrong parameters?


> I think a much more secure way would be to enforce cHash parameters on 
> every occasion. I found for example some places where commerce simply 
> builds links with 'no_cache' for various things like:
> 
> - clear Basket link
> - last product url
> - link from basket to checkout
> 
> and maybe some other places I can't remember anymore. As Peter Niederlag 
> confirmed: "USER_INT's are definitly never cached within TYPO3."
> 
> So I recommend to NOT use any links using no_cache, but strictly 
> recommend to use cached links with a cHash, as THIS ensures secure link 
> parameters and also provides the TYPO3 security mechanisms for cHash 
> handling.
> 
> If the cHash doesn't match - simply clear EVERY piVar. That would be 
> more secure IMHO. Or have I missed something? Would be good if a cHash 
> expert could confirm.

In these cases I'll step into the code and have a look at it. last 
product url seams to be easy, link from basket to checkout is clear 
after Peters posting. Concerning the clear basket link i have to 
investigate further, since I must be shure, that the baskethash is 
cleared also, to have not the wrong content of the basket cached.

Regards

Ingo

> 
> -- 
> Kind regards,
> Franz Koch


Mit freundlichen Gruessen
-- 
Ingo Schmitt                        mailto:is at marketing-factory.de
Marketing Factory Consulting GmbH   http://typo3.marketing-factory.de/
Content Management mit Typo3: Beratung - Schulung - Realisierung

More information about the TYPO3-project-commerce mailing list