a hook before sending emails

You should be able to exclude certain bits so that you can use proper CSRF. What type of server caching are you using?

Hi, Derek!

I’m using fastcgi cache on NGINX.

Just the first request without the cookie exp_sessionid reach eecms at every 60s. All my websites run on NGINX, instead of Apache.

It would be amazing if I could load just the CSRF code, but I don’t think it’s possible.

Thanks for your attention.

Hm, no configuration to use special tags to exclude bits from being cached? I’m not sure the gains of a full page cache for visitors is worth entirely giving up CSRF protection. Particularly with email forms, you’re essentially inviting spammers to abuse it.

Honey pots that live in the markup aren’t very effective over the long term, someone will inspect the markup or target the site / system being used and simply leave that field out of their script. With no CSRF, they can blanket the web with links and/or JS that cause any visitor hitting a page to submit the form on your site, all without their (or your) knowledge.

It looks like we entered in a more interesting discussion here.

I’m sorry for saying this, but eecms cache isn’t good enough, specially for complex websites. One of my client have a really complex website with 50,000 visits per month. However your concerns about the CSRF protection can’t be put aside.

Were you thinking about something like Varnish does? I don’t think I can use something like this. NGINX saves the complete HTML. Can you give some info about what should a look for? Maybe the answer is right in front of me and I couldn’t find it.

Or…. Is it possible to load the CSRF code by javascript? This could be useful. After a code expire by time, it could be used just to get a new one. This, a user posting on a forum will never lost his or her long and time consuming to write post.

Oh! I still think the hook can be useful!

Sorry I’m not familiar enough with NGINX and that module to know how discretely it can be configured, but I was thinking along the lines of Varnish edge side includes. What version of EE are you using, and are you using memcached / redis, and using the built-in caching solutions effectively? 50,000 visits per month is not approaching what I would consider high traffic with special needs for handling a PHP/MySQL based app, even if you’re making EE jump through hoops. Our site for instance has nearly 300,000 visitors per month and we don’t employ any special caching mechanisms.

You want to make sure your DB server is well configured, that you are using an effective opcode cache, and running a recent version of PHP (5.5 if possible), all before I’d start investigating other app-level and server-level caching.

If you haven’t read it, you might be interested in the Nexcess white paper on performance and caching.

Or…. Is it possible to load the CSRF code by javascript?

Indeed you probably could, the JS could make a call to an EE endpoint (an ACT URL from a module would be most performant here) that is excluded from your full page caching mechanism, and return the CSRF token for use in your forms.

Oh! I still think the hook can be useful!

Yes, sorry, I didn’t mean to derail the original request which has merit, but it sounded like there were some greater underlying issues to discuss.

As an aside, Snaptcha is similar to a honey pot, but requires JavaScript so most bots are blocked. Ben has also documented a hack you can make to the email module for the hook which makes Snaptcha work with the email module. Just an option.

I agree, Derek. 50,000 isn’t all that, but you forget a part of it: it’s a complex website. And by complex, I mean… Drums and fireworks! I mean Solspace Calendar! Booom! Today, if I have to work with events again, I’ll try to use a custom plugin and grid fields.

I asked for the Nexcess white paper, but I’m still waiting for the email… Strange… I read one sometime ago. Maybe it’s the same.

I try to always learn more and more about eecms and to make it runs smoothly. Today, all my eecms sites are running 2.9 on PHP 5.5. The site in question runs currently on Percona. Maybe, someday I become an eecms expert. 😉

Thanks for talk about Snaptcha, but I prefer to not edit core files. I guess I gonna try to load the CSRF code by JS. Maybe it’s the better option.

Have you analyzed where the performance issues are bottlenecking? If it’s one specific module, then tag caching with memcached/redis should be sufficient. If your server is bogging down on 50k/month with just letting EE do its native things, then I definitely question the environment.

I know where: too many complex queries for each entry. On a search results page, I have 16 entries.

The improvements you made on cache can help me, but I haven’t time enough for this.

Thanks for your attention, Derek. I guess I made a mess on your forum. I’m sorry!

Thanks, man!