Dave Cohen wrote:
I have a situation in which I can't preserve any session information for my users. No cookies are available. I'm able to present pages OK, but all form submissions fail.
They fail because each form includes a token, and on submit the token is tested by drupal_valid_token(). The test always fails because the session_id() is never the same between when the form was generated and when submitted.
Now, I notice that drupal_valid_token takes a parameter $skip_anonymous, which does almost what I want, it skips the test when the user is anonymous (why only for anonymous users, I have no idea). So it looks like someone had in mind a situation like mine. But as far as I can tell $skip_anonymous is never used. There's no way to configure FAPI to use it.
So my questions are these: can anyone explain to me better what's going on here and what $skip_anonymous is for? And if I submit a patch that makes FAPI configurable to skip this check, is there any chance it would make it into the next 5.x and/or 6.x release?
For the curious, my situation is a Facebook Application using Drupal for Facebook <http://drupal.org/project/fb>. When presenting a facebook "canvas page", the requests come from facebook, not the user's browser. And if the facebook user is not "logged in" to the app, there is no session information whatsoever available.
I'm interested in other approaches to solve this problem. For example, if I could somehow alter all local urls to include a ?mysession=nnnnn, which stays the same through all links and form submits, that would be amazing. Any ideas are welcome.
The tokens protect against cross site request forgeries (CSRF) where a malicious site causes your browser to submit a request to a site where you are logged in. As the submission occurs with your credentials (but without intend) its result is the same as when you submitted the form with intend. The token is there to protect you against this. Now, as an external site has the same permissions as anonymous user, there's no point to protect their form submissions with such a token. As the token doesn't play well with page caching on top of that, tokens are not included in (nor checked for) forms that are displayed to anonymous users. Forms where #token is set to false, do not get a token as well. I'm not sure what you are doing exactly and haven't had the time to review the code on fb, so I regrettably can't give you any helpful suggestions that are still secure. Heine