From 1fe8cf77d1582de76028d3e6180c47948c6ca7ba Mon Sep 17 00:00:00 2001 From: Ingo Schommer Date: Mon, 25 Jun 2018 11:10:49 +1200 Subject: [PATCH] DOCS Upgrading 3.x docs on session stage param [ci skip] --- docs/en/04_Changelogs/3.7.0.md | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/docs/en/04_Changelogs/3.7.0.md b/docs/en/04_Changelogs/3.7.0.md index 835297432..ffcf89052 100644 --- a/docs/en/04_Changelogs/3.7.0.md +++ b/docs/en/04_Changelogs/3.7.0.md @@ -198,6 +198,39 @@ class Page_Controller extends ContentController other layers such as Apache's mod_gzip. +## Disable session-based stage setting + +When viewing a versioned record (usually pages) in "draft" mode, +SilverStripe records this mode in the session for further requests. +This has the advantage of transparently working on XHR and API requests, +as well as authenticated users navigating through other views. + +These subsequent requests no longer carried an explicit `stage` query parameter, +which meant the same URL might show draft or live content depending on your session state. +While most HTTP caching layers deal gracefully with this variation by disabling +any caching when a session cookie is present, there is a small chance +that draft content is exposed to unauthenticated users for the lifetime of the cache. + +Due to this potential risk for information leakage, +we have decided to only rely on the `stage` query parameter starting with SilverStripe 4.2. +In SilverStripe 3.x, you can opt-in to this behaviour as well: + +```yml +SilverStripe\Versioned\Versioned: + use_session: false +``` + +If you are consistently using the built-in `SiteTree->Link()` +and `Controller->Link()` methods to get URLs, this change likely won't affect you. + +If you are manually concatenating URLs to SilverStripe controllers +rather than through their `Link()` methods (in custom PHP or JavaScript), +or have implemented your own `Link()` methods on controllers exposing +versioned objects, you'll need to check your business logic. + +Check our [versioning docs](/developer_guides/model/versioning#controllers) +for more details. + ## Change Log ### Security