Log in Problems with Cache Enabled

W

Wayne T1

Member
Ok so Ive now disabled the third party add on, litespeed cache for XF2.

So this is no longer a third party add on problem and I don't require support for the add on in the link above. I would like some help from the developers of the software i've just paid a small fortune for.

My forum is running on litespeed web server which has a built in cache. Not sure why you would need the third party add on above to begin with as you can configure the server software to cache pages with a few lines of htacess code.

Anyway, I am running into log in problems when users are trying to log into the forum from a page that is served from the cache.

Could anyone let me know how I would get around this? I think it has to be something to do with the session cookies or xf_csrf cookie.

If anyone could point me in the right direction I would be grateful.

Thanks
 
It sounds like you have set a flag to allow full page caching enabled everywhere. To my knowledge you can’t use the same full page cache with XenForo (or any forum platform really) as each member group will have different permissions (node permissions), as well as private areas such as Conversations - the sessions will clash.

The above add-on works with the LSCache module in LiteSpeed but only for guests. Just having LiteSpeed installed (with the right license and LSCache module installed) should suffice.
 
@Optic Thanks a lot for the response.

Optic said:
But yeah definitely avoid full page caching (except for guests)
Click to expand...

Yes this is what I was doing, cache for guests only. The problem I was running into was that when the page was served via cache (to a guest not logged in) and any attempt was made to log in from the cached page then xenforo was throwing security error messages, same for search and register too.

Everything worked as it should, cache for guests and no cache for users, it was just the log in that presented the problem.

I tried getting support for this from xenforo as I've just bought the software and transferred over from VB4, I explained the problem and asked if they could give me more info about how the log in security functions, point me in the right direction and the reply I got was that xenforo does not support page cache out of the box. Yea, I kinda figured that out, not very helpful really.

I'm guessing a security token or session id or something is getting cached and hence the security errors when trying to log in via a cached page.
 
I'm certain it does.

Caching works perfectly on static HTML pages that never change, but caching of a dynamic site (such as a forum) for anyone, including guests is never a good idea. Generally speaking, the only things that should be cached on a dynamically generated site are css, js, and images. And even those should be done carefully to account for changes in them.

In most cases, caching a dynamically generated site stops any changes in the site from being viewed immediately. Such as when someone posts a new thread, the post isn't seen immediately as it should be. In your case, the security token is being cached within the dynamically generated html and it shouldn't be.

Knowing nothing about litespeed, I don't know if you can configure it to only cache the items I mentioned or not.
 
Last edited:
Snog said:
I'm certain it does.

Caching works perfectly on static HTML pages that never change, but caching of a dynamic site (such as a forum) for anyone, including guests is never a good idea. Generally speaking, the only things that should be cached on a dynamically generated site are css, js, and images. And even those should be done carefully to account for changes in them.

In most cases, caching a dynamically generated site stops any changes in the site from being viewed immediately. Such as when someone enposts a new thread, the post isn't seen immediately as it should be. In your case, the security token is being cached within the dynamically generated html and it shouldn't be.

Knowing nothing about litespeed, I don't know if you can configure it to only cache the items I mentioned or not.
Click to expand...

Guests not seeing new threads and posts immediately is not a concern, that's ok. It has no detrimental effect on anything. Logged in users can see everything immediately which is the main thing.

Pages served via cache to guests load lightning fast, like 400ms fast with a TTFB of 20ms. This is brilliant for SEO, SERP rank and users, especially if they are on mobiles.

If only I could get the security issues resolved :unsure:
 
Sure they load fast, but they are not secure in the sense that everyone is viewing them as the same user.

I'll try to explain what's happening....

Assume this is a fresh start with no cache created yet and 3 guests are going to view the site...

User 1 views the site. A security token is generated for them and the page is created dynamically. Litespeed caches the HTML for that page to serve to anyone that views it.

User 2 views the site and gets the cached HTML (including User 1's token). This isn't a problem yet.

User 3 views the site and gets the cached HTML (including User 1's token). They have no problem viewing the site. But, User 3 now wants to register. Because User 3 has User 1's security token, they can't because they aren't User 1.

Any site that uses CSRF (Cross-Site Request Forgery) protection would run across this problem if the dynamically generated HTML is cached. It's not something can can be avoided or disabled without sacrificing the security of it's users.
 
I wish I could disable it. Its not like its online banking or super confidential information I am talking about. I would gladly sacrifice security for speed.

My whole site is cached, including word press blog, apart from the forum. Hopefully I will be able to get something working eventually.

I've ran the forum, the site and multiple blogs without CSRF for years and everything has been ok. Its the first time I've ever came across CSRF protection to be honest.
 
Ideally I would like to get cache working without disabling anything or making the site less secure though.

Any input from anyone in helping to do this will be appreciated.

Does anyone know exactly how CSRF is implemented on xenforo.
 
You must log in or register to reply here.

Similar threads

W
  • Locked
  • Question Question
XF 2.0 Log in problems with litespeed cache enabled
Replies
1
Views
1K
Paul B
Paul B
karll
  • Question Question
XF 2.1 Log-in problems with XF2.1 beta
Replies
2
Views
474
karll
karll
Bob Hennessey
  • Question Question
XF 1.3 Question on Cache & Rebuild without cache enabled
Replies
5
Views
3K
Mike
Mike
K
  • Question Question
Internet Explorer and Log In Problems
Replies
1
Views
648
Jake Bunce
Jake Bunce
S
Fixed IE8 Facebook Log In Problem from pages other than forum home
Replies
4
Views
2K
SneakyDave
S
Top Bottom