jetpack icon indicating copy to clipboard operation
jetpack copied to clipboard

Published 20 hours ago verified publisher icon Automattic

make known users anonymous / wp_cache_make_known_anon does not respect wp_rejected_uri strings or Accepted Filenames & Rejected URIs

Open Jon007 opened this issue 7 years ago • 3 comments

make known users anonymous / wp_cache_make_known_anon does not respect wp_rejected_uri strings or Accepted Filenames & Rejected URIs.

This may be the opposite of what users expect: when certain pages are excluded from caching, there is no point in stripping the login information from these requests in order to serve a cached page.

In fact, stripping this information from pages which should be cached might break their functionality, which means the 'make known users anonymous' setting cannot be used safely.

see also:

  • Automattic/wp-super-cache#422 DOING_AJAX not checked
  • Automattic/jetpack#25552 make known users anonymous breaks Rest API

Jon007 avatar Oct 25 '17 00:10 Jon007

This feature should probably have a large health warning on it!

I never thought those settings were connected at all, but it would be helpful if we could filter out pages that are necessary for the normal running of the site.

donnchawp avatar Oct 25 '17 16:10 donnchawp

I recently ran into this issue. Of course this could get quite messy, but wouldn't it be enough to add wp_cache_is_rejected() as one of the checks in this block

if ( isset( $wp_cache_make_known_anon ) && $wp_cache_make_known_anon ) {
	wp_supercache_cache_for_admins();
}

or even part of the wp_supercache_cache_for_admins() function?

All the dynamic portions my site are loaded via Javascript, but I have a couple of pages that check if the user is logged in before rendering a response to the client. These are generic "thank you" type pages. But as the cookies are stripped by wp-super-cache, these pages return 403.

Checking if the uri matches the blacklist and returning before stripping cookies rather than performing the check after shouldn't cause any breaking changes.

brandonkal avatar Dec 13 '18 10:12 brandonkal

A plugin file with this will make things work as expected, but it seems that this should be handled natively as one would think bypassing the cache would also bypass cookie stripping.

<?php

/**
 * If the page is in the set blacklist, do not strip cookies
 *
 * @return bool
 */
function wp_supercache_no_anon_on_blacklist() {
	return ! wp_cache_is_rejected( $_SERVER['REQUEST_URI'] );
}
add_cacheaction( 'wp_supercache_remove_cookies', 'wp_supercache_no_anon_on_blacklist' );

brandonkal avatar Dec 13 '18 23:12 brandonkal