"Invalid token" because of Joomla! page caching plugin

[geert1992]

Hi all,

For one of our clients we recently activated the Joomla! page caching plugin ("System - Cache") for the purpose of speed optimization on their website.

Consequence of this was that users who want to login frequently received the error message "Invalid token". The cause of this problem was logical: because the (HTML) output of every page is saved/cached and at each subsequent visit is being used, there was never a new "token" (hidden inputfield in the loginform) generated, which is used during login. Therefor there where many login session with the same token, which causes the error "Invalid token".

We solved this by made a custom page caching plugin (derived from the default Joomla! caching plugin) in which code we entrapped store caching from the page "/login". Therefor that page is generated each page visit again whereby there is always an unique token for the login session.

Is this problem known by other Joomla! developers? And do you maybe have other (better) solutions for solving this problem? I think it's just strange that two parts of the Joomla! core conflicts like this and it is nog being entrapped.

[itoctopus]

Yes - it is a known problem.

One clean solution to this problem is the following:

- Install a 3rd party cache plugin such as JotCache
- Create a login page and only allow your users to login from that page (and not from a module)
- Instruct JotCache not to index that particular page

It might be that JotCache handles this problem at the module level without you doing anything, so just try to install it first and see what happens.

Another solution would be to modify the core to get rid of the token issue - I know that many would be against this, but here's a link on how to do it:http://www.itoctopus.com/how-to-complet ... -on-joomla

Keep in mind that once you modify the core, your website becomes instantly harder to maintain, and, in this particular situation, it may pose some security threats.

Hope this helps.

[geert1992]

Thank you for your comment.

Your first solution (excluding the page /login from page caching) seems to be the same solution as we applied, but therefor we're using a custom plugin instead of JotCache. I'll try if JotCache excludes the login module as well. :-)

Get rid of the token protection is not a solution for us. We don't want to affect the security of the website and don't want to edit the core as well.

[geert1992]

A little bit late maybe, but some weeks ago we found out that Joomla! HAS a function which replaces the token automatically. However, on the website I was talking about we also use the plugin System - JCH Optimize Pro (http://extensions.joomla.org/extension/jch-optimize) for pagespeed optimization. This plugin merges CSS and Javascript, minify HTML, etc. If we disable the option 'Minify HTML' in het backend settings, the token is replaced automatically and the mentioned problem isn't happen again. So not Joomla!, but this plugin was causing the problem.

Recently we've implemented Varnish Cache on the mentioned website. With the plugin (http://extensions.joomla.org/extensions ... for-joomla) we're using therefor - which is developed by our webhoster Byte - it's easy to exclude specific pages or components from caching, say 'Login'. Seperate parts from other pages we want to exclude from caching we're currently replacing using Ajax.

[brian]

Please report this bug in JCH Optimize Pro to the developers and leave a review on the JED listing so that other users know