TYPO3 - how to remove cHash in f:link.action to uncached action?

Question

EDIT: the answer of @Wolffc is totally correct - i had a false return value so the problem was between chair and screen.

TYPO3 10.4.8

I’m generating a link in a Mail with <f:link.action> to validate a subscription to a Course.

It must not be cached, so i can check if the link is already clicked, but there is a cHash added to the link.

<f:link.action
    action="validate"
    pluginName="Coursevalidation"
    extensionName="myextension"
    controller="Course"
    pageUid="1"
    absolute="1"
    pageType="1921"
    noCache="1"
    noCacheHash="1"
    arguments="{validationHash: subscription.validationHash, course:course, subscription:subscription}"
>Link</f:link.action>

the documentation says noCache and noCacheHash should not be used (“you should not need this”), and it makes no difference if I add it.

The PageType is uncached, 1921.config.no_cache = 1

The generated link results in (linebreaks for better readability):

https://mydomain.ddev.site/email-validation
?no_cache=1
&tx_myextension_coursevalidation%5Baction%5D=validate
&tx_myextension_coursevalidation%5Bcontroller%5D=Course
&tx_myextension_coursevalidation%5Bcourse%5D=3
&tx_myextension_coursevalidation%5Bsubscription%5D=30
&tx_myextension_coursevalidation%5BvalidationHash%5D=40e83[...thats long ;)...]0d65c
&cHash=5d7688ac4f04a2d31a98f2cffb792e51

As you can see, theres a cHash. First klick on the Link triggers my mechanism to check everything and set the subscription to valid , and redirect to the “Success”-Page, what is exactly what it should do.

The second klick opens the success-page too, but there should be the message “Already validated”. That page is opened, when I call the Link without the cHash.

Why is there a cHash added and how can I remove it?

Thanks :)

Answer 1

You must define this action as uncached in ext_localconf.php

TYPO3\CMS\Extbase\Utility\ExtensionUtility::configurePlugin

If the plugin action is uncached typo3 will handle that correctly.

The cHash is a checksums over the request parameters and is mainly used to prevent cache bloat attacks. If an attacker generates random parameter sets. If cHash is invalid. The result will not be cached. But the reverse is not true. If cHash is valid it might still be that the parts of the page uncached. (Or even the whole page)