Jan 16, 2015 · Jan 4, 2015 · Jan 16, 2015 · Jan 16, 2015 · Jan 16, 2015
diff --git a/cookbook/cache/form_csrf_caching.rst b/cookbook/cache/form_csrf_caching.rst
 For more information about how CSRF protection works in Symfony, please
 check :ref:`CSRF Protection <forms-csrf>`.

 Why Reverse Proxy Caches do not Cache these Pages by Default
 ------------------------------------------------------------

 There are many ways to generate unique tokens for each user but in order get
 them validated when the form is submitted, you need to store them inside the
 PHP Session.

 If you are using Varnish or some similar reverse proxy cache and you try to cache
 pages containing forms with CSRF token protection, you will see that, by default,
 the reverse proxy cache refuses to cache.

 This happens because a cookie is sent in order to preserve the PHP session open and
 Varnish default behaviour is to not cache HTTP requests with cookies.

 If you think about it, if you managed to cache the form you would end up
 with many users getting the same token in the form generation. When these
 users try to send the form to the server, the CSRF validation will fail for
 them because the expected token is stored in their session and different
 for each user.

 How to Cache Most of the Page and still Be Able to Use CSRF Protection
 Why Caching Pages with a CSRF token are Problematic
 ---------------------------------------------------

 Typically, each user is assigned a unique CSRF token, which is stored in
 the session for validation. This means that if you *do* cache a page with
 a form containing a CSRF token, you'll cache the CSRF token of the *first*
 user only. When a user submits the form, the token won't match the token
 stored in the session and all users (except for the first) will fail CSRF
 validation when submitting the form.

 In fact, many reverse proxies (like Varnish) will refuse to cache a page
 with a CSRF token. This is because a cookie is sent in order to preserve
 the PHP session open and Varnish's default behaviour is to not cache HTTP
 requests with cookies.

 How to Cache Most of the Page and still be able to Use CSRF Protection
 ----------------------------------------------------------------------

 To cache a page that contains a CSRF token you can use more advanced caching
 techniques like `ESI`_ fragments, having a TTL for the full page and embedding
 the form inside an ESI tag with no cache at all.
 To cache a page that contains a CSRF token, you can use more advanced caching
 techniques like:ref:`ESI fragments <edge-side-includes>`, where you cache
 thefull page and embedding theform inside an ESI tag with no cache at all.

 Another optionto beabletocache that heavy page would be loading the form
 via an uncached AJAX request butcache the rest of the HTML response.
 Another optionwould be toload the form via an uncached AJAX request, but
 cache the rest of the HTML response.

 Or you can even load just the CSRF token with an AJAX request and replace the
 form field value with it.

 .. _`Cross-site request forgery`: http://en.wikipedia.org/wiki/Cross-site_request_forgery
 .. _`ESI`: http://www.w3.org/TR/esi-lang
 .. _`Security CSRF Component`: https://github.com/symfony/security-csrf
Original file line number	Diff line number	Diff line change
Expand Up		@@ -10,39 +10,33 @@ need to be cautious if you try to cache pages with forms including them.
		For more information about how CSRF protection works in Symfony, please
		check :ref:`CSRF Protection <forms-csrf>`.

		Why Reverse Proxy Caches do not Cache these Pages by Default
		------------------------------------------------------------

		There are many ways to generate unique tokens for each user but in order get
		them validated when the form is submitted, you need to store them inside the
		PHP Session.

		If you are using Varnish or some similar reverse proxy cache and you try to cache
		pages containing forms with CSRF token protection, you will see that, by default,
		the reverse proxy cache refuses to cache.

		This happens because a cookie is sent in order to preserve the PHP session open and
		Varnish default behaviour is to not cache HTTP requests with cookies.

		If you think about it, if you managed to cache the form you would end up
		with many users getting the same token in the form generation. When these
		users try to send the form to the server, the CSRF validation will fail for
		them because the expected token is stored in their session and different
		for each user.

		How to Cache Most of the Page and still Be Able to Use CSRF Protection
		Why Caching Pages with a CSRF token are Problematic
Copy link Member xabbuhJan 16, 2015 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others.Learn more. Shouldn't it be "is" instead of "are"? And should we add a label for the old headline? Copy link MemberAuthor weaverryanJan 16, 2015 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others.Learn more. You're right! Fixed at sha:`36d1bac`
		---------------------------------------------------

		Typically, each user is assigned a unique CSRF token, which is stored in
		the session for validation. This means that if you do cache a page with
		a form containing a CSRF token, you'll cache the CSRF token of the first
		user only. When a user submits the form, the token won't match the token
		stored in the session and all users (except for the first) will fail CSRF
		validation when submitting the form.

		In fact, many reverse proxies (like Varnish) will refuse to cache a page
		with a CSRF token. This is because a cookie is sent in order to preserve
		the PHP session open and Varnish's default behaviour is to not cache HTTP
		requests with cookies.

		How to Cache Most of the Page and still be able to Use CSRF Protection
		----------------------------------------------------------------------

		To cache a page that contains a CSRF token you can use more advanced caching
		techniques like `ESI`_ fragments, having a TTL for the full page and embedding
		the form inside an ESI tag with no cache at all.
		To cache a page that contains a CSRF token, you can use more advanced caching
		techniques like:ref:`ESI fragments <edge-side-includes>`, where you cache
		thefull page and embedding theform inside an ESI tag with no cache at all.

		Another optionto beabletocache that heavy page would be loading the form
		via an uncached AJAX request butcache the rest of the HTML response.
		Another optionwould be toload the form via an uncached AJAX request, but
		cache the rest of the HTML response.

		Or you can even load just the CSRF token with an AJAX request and replace the
		form field value with it.

		.. _`Cross-site request forgery`: http://en.wikipedia.org/wiki/Cross-site_request_forgery
		.. _`ESI`: http://www.w3.org/TR/esi-lang
		.. _`Security CSRF Component`: https://github.com/symfony/security-csrf