Blog's comments cache issues

[HermesSbicego-Laser]

We found some issues testing blogpost and comments features: Anonymous users:

1. Commenting a blogpost does not evict the cache of blogpost so that the comment is invisible until the cache expires

Authenticated Users (with authenticated cache):

1. Same issue as for the anonymous users
2. Same cache created for different users:
   • Navigate to blog post with UserA (the cache will be created for UserA and the page writes "Hi, UserA")
   • Navigate to blog post with UserB (the cache created by UserA will be served and the page writes "Hi, UserA")
3. Antiforgery error:
   • Trying to post comments as UserB we receive "The anti-forgery cookie token and form field token do not match." error. The antiforgery Token in fact was created for UserA.

With PR #8470 the point 3 will be fixed. For points 1 we should evict the cache for the blogpost. For point 2 we need something like a Donut Cache, I think.

[sebastienros]

Something has been broken because these were working fine. Especially the first issue (anonymous users). Because there is a POST, the cache entry should be evicted on the redirection. It definitely worked.

For issue 2, this is by design, if you enable it you assume that you are not generating output containing personal information, or this has to be done in a separate ajax call to an endpoint that is not cached.

For issue 3, nothing should be cached when there is an antiforgery token. We might even go as far as not caching anything when a cookie is "set".