On Oct 21, 9:17 pm, Jim Dalton wrote:
> On Oct 21, 2011, at 8:04 AM, Kääriäinen Anssi wrote:
>
> > I do not know nearly enough about caching to participate fully in this
> > discussion. But it strikes me that the attempt to have CSRF protected
> > anonymous page cached is
I think for the moment, the easy fix for anonymous forms it either to
put them on a different page or
to load them with ajax.
This way the forms and thus the tokens gets generated only when
needed.
If caching and performances are a big concern, I think those
alternative are win/win solutions.
On Oct 21, 2011, at 8:04 AM, Kääriäinen Anssi wrote:
> I do not know nearly enough about caching to participate fully in this
> discussion. But it strikes me that the attempt to have CSRF protected
> anonymous page cached is not that smart. If you have an anonymous submittable
> form, why
I do not know nearly enough about caching to participate fully in this
discussion. But it strikes me that the attempt to have CSRF protected anonymous
page cached is not that smart. If you have an anonymous submittable form, why
bother with CSRF protection? I mean, what is it protecting
On Oct 20, 2011, at 6:02 PM, Carl Meyer wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Hi Jim,
>
> This is a really useful summary of the current state of things, thanks
> for putting it together.
>
> Re the anonymous/authenticated issue, CSRF token, and Google Analytics
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Jim,
This is a really useful summary of the current state of things, thanks
for putting it together.
Re the anonymous/authenticated issue, CSRF token, and Google Analytics
cookies, it all boils down to the same root issue. And Niran is right,
Hi...
For PyLucid i made a simple cache middleware [1] simmilar to Django per-site
cache middleware [2]. But i doesn't vary on Cookies and don't cache cookies. I
simply cache only the response content.
Of course: This doesn't solve the problem if "csrfmiddlewaretoken" in content.
Here some
On Oct 20, 2011, at 10:26 AM, Niran Babalola wrote:
> This problem is inherent to page caching. Workarounds to avoid varying
> by cookie for anonymous users are conceptually incorrect. If a single
> URL can give different responses depending on who's viewing it, then
> it varies by cookie.
On Thu, Oct 20, 2011 at 7:45 AM, Jim Dalton wrote:
> There
> is still an exceptionally narrow set of circumstances that would allow me to
> serve a single cached page to all anonymous visitors to my site: namely, I
> can't touch request.user and I can't use CSRF.
This