Using View Caching And Csrf Validation

Yii 1.1 General Discussion
1

I am using a few different types of view caching:

  1. Fragment Caching

  2. CHttpCacheFilter

If my pages have forms and I have enableCsrfValidation set to true in my config, is Yii smart enough to always generate a unique token for the user’s session or will the view caching serve the same cached CSRF token to different users and result in “Invalid CSRF Token” errors?

I think this problem can be resolved in fragment caching by setting varyBySession to true but not sure if this is the best solution. Also not sure if there’s a solution for CHttpCacheFilter. So does this mean if we use CHttpCacheFilter on pages with forms we cannot enable CSRF validation?

Thank you!

2

I have used other means of caching and compressing in Yii.

My method is to add the CSRF token to the key/id.

This is not always possible as some of the code is generated by Yii classes, so I patched the caching/compression class I use:

EClientScriptBooost patch