Skip to content

Issue #3036486: Set max-age of 12 hours to ensure results token has not expired

Greg Watsonrequested to merge
issue/h5p-3036486:3036486-results-token-becomes into 2.0.x

Problem

H5P core uses a hash token to validate the ajax callback that is POSTed to when a user finishes an H5P interactive. This token is valid for a time period of at least 12 hours and up to 24 hours. For a site with caching enabled, pages that render an H5P could be cached for longer than that, resulting in Drupal's cache serving an already-expired token, which would result in the user completion data not being saved.

Solution

A relatively simple solution is to set the max-age of H5Ps to 12 hours. That allows for some caching, but ensures a cached page will never return an already-expired hash token. This is done in both the H5PDefaultFormatter and the H5PEmbed paths for rendering an H5P.

Known Limitations

In a worst case scenario, the page could be cached with a token that will be valid for 12 hours and 1 second. If the user then loads the page 1 second before the cache expires, the token would only be valid for a few seconds. In that case, it will likely have expired by the time they are submitting their results. This a theoretical limitation based on my understanding of the code and not something I've verified via testing, so take it with a grain of salt.

Changes

Closes #3036486

Merge request reports