On 1/3/06, Allen Gilliland <[EMAIL PROTECTED]> wrote: > team, > > just before the holidays, Dave and I discovered a rather unfortunate bug > created by the way the current comment authenticators work coupled with > how our page caching works. basically, because the comment > authenticators actually embed their html in the page at rendering time > the comment authentication cannot work on a cached page because the page > will display an old and false cached version of the authenticator html. > > the problem has technically existed for quite a long time, however it > wasn't noticed because in the past we used to have the old /comments/* > urls and we also didn't have the option of a non-expiring cache. now > that we allow any page to potentially be cached for a long time we need > a way to allow the comment authentication to remain dynamic. > > my initial thoughts are to use a little AJAX that will call back to a > servlet and ask how to authenticate. i don't have a proposal yet, but i > figured i'd ask around first and see if anyone has any other ideas of > how to tackle this.
Doing this with Ajax should be easy enough - the question is how secure will it be. If it's JavaScript that can be called, what's to stop spammers from calling the same methods? Matt > > jira issue is open here ... > > http://opensource2.atlassian.com/projects/roller/browse/ROL-935 > > -- Allen >
