Pop-up login form isn't Varnish-friendly
|Category:||Performance / scalability|
|Google Code Legacy ID:||Tested version:|
Problem: We can potentially configure Varnish to allow users to log into AtoM by not caching /user/login responses but the pop-in login form, present on all pages, presents an issue. The pop-up login form shows a form that, if cached by Varnish, won't work. The problem is that the CSRF token, that needs to be generated dynamically to work, gets cached and the log in attempt gets interpreted as a hacking attempt ("CSRF attack detected" gets shown).
Possible solution: We could solve this by using AJAX to fetch a CSRF token in the pop-up login form (if the user clicks "Log in").
Alternative solution: We could also solve this by changing AtoM so the "Log in" button is a link to the /user/login page.