Bug #13520

Pop-up login form isn't Varnish-friendly

Added by Mike Cantelon 5 months ago. Updated 4 months ago.

Status:NewStart date:06/03/2021
Priority:MediumDue date:
Assignee:-% Done:


Category:Performance / scalability
Target version:-
Google Code Legacy ID: Tested version:
Sponsored:No Requires documentation:


Problem: We can potentially configure Varnish to allow users to log into AtoM by not caching /user/login responses but the pop-in login form, present on all pages, presents an issue. The pop-up login form shows a form that, if cached by Varnish, won't work. The problem is that the CSRF token, that needs to be generated dynamically to work, gets cached and the log in attempt gets interpreted as a hacking attempt ("CSRF attack detected" gets shown).

Possible solution: We could solve this by using AJAX to fetch a CSRF token in the pop-up login form (if the user clicks "Log in").

Alternative solution: We could also solve this by changing AtoM so the "Log in" button is a link to the /user/login page.


#1 Updated by Mike Cantelon 5 months ago

The alternate solution'd be a quick fix and less chance of issues coming up. We could always make it so a setting needs to be changed to get rid of the pop-up login form too.

#2 Updated by Mike Cantelon 4 months ago

We're going to wait until after the upgrading of Bootstrap to work on this.

Also available in: Atom PDF