@weaverryan should get a doc request label.

As the CSRF token is private to each user, I don't think it makes sense to cache these pages.

I also believe CSRF tokens by necessity will always be stored in the session, and Varnish (and other similar proxies) must either ignore cookies or not cache pages with cookies.

If the whole page is expensive to generate, I suppose you might attempt to load the form (or even just the token field) with through ESI, but I'm not sure I would recommend that -- at least not highly enough to create a cookbook entry :).

I know this is a very old issue but I would like to add my thoughts to it since it can be misleading and I also think that this should be closed

Looking at how the CSRF tokens are generated:

    public function generateCsrfToken($intention)
    {
        return sha1($this->secret.$intention.$this->getSessionId());
    }

Of course, you can add your own provider and return a plain hardcoded string but this is not my point and it would break the CSRF token purpose

Anyway, the tokens depend on the session_id which is unique per user / session. And caching such pages would effectively cause that the GET request to render the form gives you back a cached response (thus sending the same CSRF token for many users) and the POST request would actually fail because it would validate that token with the user session id.

This is an issue to many web applications when you put caching in place and this is why some high traffic web applications send a cached response for the static content but all the user interaction widgets are generated via uncached AJAX requests or similar techniques.

Hope this makes sense

Thoughts on this @wouterj @weaverryan @gunnarlium @yosmanyga ?

@ricardclau What you're saying makes good sense. What do you propose? Do you think nothing needs to be said? Or should we have a small cookbook entry about this (that basically says don't cache them or load them with AJAX)?

Well, this is one of those cases not related to Symfony2 itself but to how some technology + Symfony works. There are many opinions on adding cookbooks about Nginx, Varnish, logrotate and other bits.

I am clearly 👎 on writing a cookbook about this and it does not complement http://symfony.com/doc/current/cookbook/cache/varnish.html but maybe we could add a note on http://symfony.com/doc/current/cookbook/security/csrf_in_login_form.html

Anyway, not sure about it, but if you think it can be useful, I can work on it :)

I think it could make sense to mention it in the "Using CSRF Protection in the Login Form" entry. Perhaps more as a warning to not cache pages with CSRF tokens, and perhaps hint at the option of using AJAX or ESI instead.

A note makes sense to me. It would also need to be added to the form chapter of the book where we talk about CSRF.

Waiting for your comments @weaverryan @gunnarlium @wouterj