Dave Cohen wrote:

I have a situation in which I can't preserve any session information for my users. No cookies are available. I'm able to present pages OK, but all form submissions fail.

They fail because each form includes a token, and on submit the token is tested by drupal_valid_token(). The test always fails because the session_id() is never the same between when the form was generated and when submitted.

Now, I notice that drupal_valid_token takes a parameter $skip_anonymous, which does almost what I want, it skips the test when the user is anonymous (why only for anonymous users, I have no idea). So it looks like someone had in mind a situation like mine. But as far as I can tell $skip_anonymous is never used. There's no way to configure FAPI to use it.

So my questions are these: can anyone explain to me better what's going on here and what $skip_anonymous is for? And if I submit a patch that makes FAPI configurable to skip this check, is there any chance it would make it into the next 5.x and/or 6.x release?

For the curious, my situation is a Facebook Application using Drupal for Facebook <http://drupal.org/project/fb>. When presenting a facebook "canvas page", the requests come from facebook, not the user's browser. And if the facebook user is not "logged in" to the app, there is no session information whatsoever available.

I'm interested in other approaches to solve this problem. For example, if I could somehow alter all local urls to include a ?mysession=nnnnn, which stays the same through all links and form submits, that would be amazing. Any ideas are welcome.

The tokens protect against cross site request forgeries (CSRF) where a malicious site causes your browser to submit a request to a site where you are logged in. As the submission occurs with your credentials (but without intend) its result is the same as when you submitted the form with intend. The token is there to protect you against this. Now, as an external site has the same permissions as anonymous user, there's no point to protect their form submissions with such a token. As the token doesn't play well with page caching on top of that, tokens are not included in (nor checked for) forms that are displayed to anonymous users. Forms where #token is set to false, do not get a token as well. I'm not sure what you are doing exactly and haven't had the time to review the code on fb, so I regrettably can't give you any helpful suggestions that are still secure. Heine

Dave Cohen wrote:

I have a situation in which I can't preserve any session information for my users. No cookies are available. I'm able to present pages OK, but all form submissions fail.

Funny you posted this. I was about to post something myself for Facebook apps using FBML (this is a non-issue if you use IFRAME option for FB apps). So if we turn off form token validation using the following form_alter and hacking #action in system.module (probably a non-hack way to do this), I can get forms to submit and save data while in FBML mode. But, at least on user/x/edit I get a FB canvas page trying to load a FB login page as FBML, probably from something getting weird on redirect. Dave, let's connect on Skype sometime this week (SN: schoolengine) as I'm gearing up to do my next app and want to get it all FBML instead of using IFRAMEs and would like to merge our FB module code and get this stuff solid.

/** * Implementation of hook_form_alter(). * * Turns off form token validation since for Facebook apps using FBML * all requests come from Facebook's servers. */ function facebook_app_form_alter($form_id, &$form) { unset($form['#token']); } function system_elements() { // Top level form...just testing FB hack $type['form'] = array('#method' => 'post', '#action' => '/myappname'. request_uri()); -Rob