Hi, I've just recently developed an order-history section for my
users, and I want to cache the action as it's quite a hefty process
(xml api call to a booking server that takes a while to generate the
results).

Obviously I need something unique like say the user_id in the url to
make sure the cache is unique to that user.

However, it seems that although the user has to be logged in to view
the order-history, there is nothing to stop them substituting their
user_id for someone elses to load another user's history if they've
happened to cache it recently.

i.e.
 1. User1 logs in, views order history which is then cached for 30
mins.
 2. 10 mins later, User2 logs in, views the order history page, but
then changes the userid to User1's, and gets his/her cached history
displayed instead.


How do people prevent this from happening?



This is on symfony 1.0.20, using the standard symfony file cache.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"symfony users" group.
To post to this group, send email to symfony-users@googlegroups.com
To unsubscribe from this group, send email to 
symfony-users+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/symfony-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to