[drupal-devel] Seems like form validation might fail with some users

Jeremy Andrews lists at kerneltrap.org
Sun Nov 6 23:09:35 UTC 2005 

I've replied to this a couple of times, but it's been blocked
by the mailing list software.  One last try...

On Sun, 6 Nov 2005 13:54:20 -0500
Steve Dondley <sdondley at gmail.com> wrote:

> Some ISP's, like AOL, change a user's IP address from one
> page view to the next.  It seems like this might cause a
> problem for the new forms API which uses the IP address to
> create a token used to validate a form.  The IP address
> collected from the user when used the form gets loaded
> could be different from the IP address seen when submitting
> it.

The form validation code was originally added in this thread:
http://drupal.org/node/28420
(see #23 - #26)

We discussed using the IP or the session_id, and I chose the
IP at the time.  If ISPs out there really change a user's IP
with each page load (that seems awfully ugly to me, but
whatever), then something needs to change in our code.

Is there ever a time where the session_id may change from
page to page (ie, what if cookies are disabled in the
browser, and the server isn't configured to embed session
ID's in the URL?)

The attached patch is all it would take to switch from IP's
to Session ID's.  Alternatively you could just remove the
IP/session_id and form validation would still offer
protection from spammers.

-Jeremy



-------------- next part --------------
--- includes/form.inc.orig	2005-11-06 14:58:50.000000000 -0500
+++ includes/form.inc	2005-11-06 15:01:01.000000000 -0500
@@ -59,7 +59,7 @@
       variable_set('drupal_private_key', mt_rand());
     }
 
-    $form['form_token'] = array('#type' => 'hidden', '#value' => md5($_SERVER['REMOTE_ADDR'] . $form['#token'] . variable_get('drupal_private_key',
+    $form['form_token'] = array('#type' => 'hidden', '#value' => md5(session_id() . $form['#token'] . variable_get('drupal_private_key',
 '')));
   }
   $form['form_id'] = array('#type' => 'hidden', '#default_value' => $form_id);
@@ -98,7 +98,7 @@
   global $form_values;
 
   if (isset($form['#token'])) {
-    if ($form_values['form_token'] != md5($_SERVER['REMOTE_ADDR'] . $form['#token'] . variable_get('drupal_private_key', ''))) {
+    if ($form_values['form_token'] != md5(session_id() . $form['#token'] . variable_get('drupal_private_key', ''))) {
       // setting this error will cause the form to fail validation
       form_set_error('form_token', t('Validation error, please try again.  If this error persists, please contact the site administrator.'));
     }

More information about the development mailing list