Users and anonymous forms

Events happening in the community are now at Drupal community events on www.drupal.org.
Elliot Schlegelmilch's picture
Posted by Elliot Schlegelmilch on February 10, 2012 at 6:14pm

I'm using varnish and have a couple of exiting modules which do searching. The way that they work is, using forms api, drupal_goto('mysearch/search+terms').

Here's the rub. I have to patch both core and these modules to keep them working with varnish. If I don't I get the notorious "This form is outdated. Reload the page and try again" message. I understand why—the form token is cached in the body of the document, and fails to validate for additional users. I'm a bit at a loss on the best solution for this.

According to the form api, setting $form['token'] = FALSE will skip the CSRF prevention and allow the same cached page to be submitted several times. This isn't ideal, and it also doesn't work without this diff in form.inc:

--- form.inc    2012-02-01 14:03:14.000000000 -0800
+++ form2.inc   2012-02-10 09:58:36.000000000 -0800
@@ -978,7 +978,8 @@
   // tokens are session-bound and forms displayed to anonymous users are very
   // likely cached, we cannot assign a token for them.
   // During installation, there is no $user yet.
-  if (!empty($user->uid) && !$form_state['programmed']) {
+  if ((!empty($user->uid) || $user->uid==0) && !$form_state['programmed']) {
     // Form constructors may explicitly set #token to FALSE when cross site
     // request forgery is irrelevant to the form, such as search forms.
     if (isset($form['#token']) && $form['#token'] === FALSE) {

I don't know if this was by design or an accident. Uid 0, our user in question can never make that clause succeed.

Another option, which is what the contact module uses, not to let the page be cached. This isn't really an option for us since these modules provide blocks which are on every page.

The only other thing I can come up with is to revise the modules such that they use http get instead of fapi/drupal_goto. This isn't much better in my opinion, but would work since they would be html forms.

I hope there's an option I'm missing which "just works". Thank you.

Comments

subscribing

Posted by mpgeek on February 10, 2012 at 6:27pm
mpgeek's picture

subscribing

Interesting question, I would

Posted by Mark Theunissen on February 10, 2012 at 7:37pm
Mark Theunissen's picture

Good question, I would be interested in this too.

So it looks like modules such

Posted by Mark Theunissen on February 21, 2012 at 5:21pm
Mark Theunissen's picture

So it looks like modules such as Webform automatically support Varnish. Perhaps you should take a look at the source and figure out how it does it?