Hi! I have pretty big website so it need cache badly. Also there is my own implementation of commenting system based on DataBound form present. The problem is if the cache is on(and it is on) visitors are getting security token invalidation message when they submit the commenting form. I've gone through forums and didn't find if there is sort of partial cache(if there is - that would be great). I see several options here, but need some information.
Option 1:
Change config file so the cache stays there before the tokens expire(<= 24h, I guess). My question is if those tokens would be valid for all users. As it is only one cached token. Will everyone will be able to send comments? Also this option makes cache system partially useless as there are lots of pages and there will be no cache most of the time(24h is not enough).
Option 2:
The "no_cache" tag. As I understand it will turn off the caching of the pages with comments. Those pages are the main part of a website. So it is very bad idea. I really need them to be cached.
Option 3:
Looking through the couch's source codes, native commenting system particularly, I can see several arguments there: add_security_token = '0' and _invalidate_cache='1'(file: comment_form.html). The second one, I assume, provides the ability for the comments to show up right away(?). It is not needed for me as my commenting system has pre moderation. But the first one seems to be the one that can lead me to solution(?).
Option 4:
Something else?

Thank you in advance!

[KK]

Hi,

I think your issue is similar to the one discussed in the following thread - viewtopic.php?f=4&t=11239

As I mentioned there, the right way would be to generate the databound form at the very moment the visitor is ready to use it.
You could use a separate (non-cachable) template for this (or throw in AJAX to show the generated form on the same page).

Hope this helps.

Sorry, but I just don't get how can I generate a form with no cache in a separate template(each time a user visits a cached static page with comments) and include it in a static cached page. Am I missing something?
I wonder if some of my options in the first post can be of any use?
AJAX approach has some disadvantages so I'd better use something else.

PS: The difference with the forum post you provided is that I have no "Open Ticket" button. The form is present on the product page upon visiting it. Disabling cache would cause huge load times as the page itself is big with lots of DB queries.

[KK]

The difference with the forum post you provided is that I have no "Open Ticket" button..

Yes, I understand. My aim was to suggest that instead of a pre-rendered form, you place some button or link of that kind on the page. Clicking on that link would navigate to a non-cachable template showing the form from which the user can proceed to submit the comments. AJAX could be used here to show, for example, the form in a popup.

Once the comment is submitted (and reviewed) the cache will get busted automatically and the new comments will show up on the site.

Anyway, that to me is all we can do out-of the-box to solve the stale security tokens problem.

A non-Couch approach would be to use external proxies like Varnish to give scalability to your site, considering it is taking in this amount of traffic.

Thank you for replying. So there is no option to disable the security token check on this form? Or just set cache expiration date to less than 24h as a temporary solution(if just one generated token can be used by all users)? I still don't understand how i'll pass data from a product page user visits to the form from separate template. It is a commenting system so I set current page id, name, link and etc. to a new commenting cloned page so I can fetch comments on a particular product page.

I set some fields from a product page to a new comment. Here's the fields I use to make commenting work:

Code: Select all

    <cms:if k_success >
                      <cms:db_persist_form
                        _invalidate_cache='0'
                        _auto_title='1'
                        k_page_folder_id="<cms:show pending_folder_id />"
                        comment_page_title="<cms:show k_page_title />"
                        comment_page_id="<cms:show k_page_id />"
                        comment_page_name="<cms:show k_page_name />"
                        comment_page_template_name="<cms:show k_template_name />"
                      />
.....

If I use AJAX i'll expose those fields for a user, I guess. Don't know if they can be used to hack something

[KK]

So there is no option to disable the security token check on this form?

To prevent the form from adding a security token automatically, you may set 'add_security_token' param to '0' in the <cms:form> tag.

That will, of course, open up the form to CSRF attacks upon registered users (i.e. those logged in with Couch accounts). If, however, it is only anonymous visitors that comment, I think it shouldn't matter much.

Hope it helps.

[KK]

If I use AJAX i'll expose those fields for a user, I guess.

No, you won't .
<cms:db_persist_form> is a server-side tag and does not output anything on the front-end.
As a confirmation, you can always examine the output of your form to see what is being rendered.

If I use AJAX i'll expose those fields for a user, I guess.

No, you won't .
<cms:db_persist_form> is a server-side tag and does not output anything on the front-end.
As a confirmation, you can always examine the output of your form to see what is being rendered.

It is but if it is going to be a separate template that I won't have access to those variables so i'll need to pass them with a help of hidden inputs and JS. Is there another solution to using <cms:db_persist_form /> within another template?

[KK]

Did you happen to take a look at my earlier reply? -

To prevent the form from adding a security token automatically, you may set 'add_security_token' param to '0' in the <cms:form> tag.

That will, of course, open up the form to CSRF attacks upon registered users (i.e. those logged in with Couch accounts). If, however, it is only anonymous visitors that comment, I think it shouldn't matter much.

Hope it helps.

Wouldn't that help? Please let me know.