Magento 1.8 and Varnish or another FPC

Question

As we all really know, there appears a little problem with Magento 1.8.x and Varnish. Magento team added the support "form_key" for the most the frontend forms and actions. It is really great, everyone should keep safety first. However it causes a problem with FPC systems as Varnish (great article about this is here http://www.supportdesk.nu/blog/110-magento-1-8-form-keys-impact-on-fpc ). Many FPC systems on Magento solves it by putting a placeholder and replace "form_key" during loading a page from cache. It's good for PHP systems that are integrated into Magento , but not for external systems as Varnish. So my question is as follows:

Is there a good enough solution for using FPC as Varnish and Magento 1.8.x?

I consider follows

1) prevent using of the "form_key" on frontend, there are many way to do this (eg: https://bitbucket.org/supportdesk_nl/turpertine-formkey-workaround/src/574ff1851618dc0e76e4274001fbf3efb89c99f6/app/code/community/SupportDesk/CartFormKey/Model/Observer.php?at=master ). However this is hack and is not good generaly. Moreover could be a security risk? What do you mean about this?

2) load the "form_key" via AJAX and replace all links and form inputs by JavaScript code. I'm not sure that it is technicaly realizable (eg: replacing code snippets like onclick="setLocation('....&form_key=XXX');" would be too difficult) and it will causes too many problems and incompatibilities with various extensions.

3) do not use Varnish. Yes it would be a solution, but let's avoid them for now, please.

4) Your suggestions ???

Many thanks for your answers.

Answer 1

Which FPC are you trying to use anyway? We use Lesti FPC (with Redis Cache backends, and session backends) with Varnish and it works fine.

I don't know if you've properly read one of the links you posted, but Lesti FPC is already patched via this commit, 5 months ago .