I am using a few different types of view caching:
-
Fragment Caching
-
CHttpCacheFilter
If my pages have forms and I have enableCsrfValidation set to true in my config, is Yii smart enough to always generate a unique token for the user’s session or will the view caching serve the same cached CSRF token to different users and result in “Invalid CSRF Token” errors?
I think this problem can be resolved in fragment caching by setting varyBySession to true but not sure if this is the best solution. Also not sure if there’s a solution for CHttpCacheFilter. So does this mean if we use CHttpCacheFilter on pages with forms we cannot enable CSRF validation?
Thank you!